Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1579344
MD5: f82416bcf25171ccfda8e9325c3a92dc
SHA1: 9db33361a9cb34b352a9fe17ea06a659b247bbbc
SHA256: 3d8bd5d204ef586f2958455a4f57cd493580978c83c34759839dcdd5e4d9f120
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000000.00000002.2108752240.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 00000007.00000002.3125830482.00000000031A4000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: LummaC {"C2 url": ["energyaffai.lat", "sustainskelet.lat", "crosshuaht.lat", "grannyejh.lat", "bellflamre.click", "discokeyus.lat", "aspecteirs.lat", "rapeflowwj.lat", "necklacebudi.lat"], "Build id": "LPnhqo--pndzrnkjnmnw"}
Source: 00000020.00000002.3929798314.000000000094E000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[3].exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exe ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\1019601001\a53907268b.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1019602001\647da3efc5.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1019603001\d0c6b9d6b8.exe ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\1019604001\0c0e50df68.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 58% Perma Link
Source: file.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\hYW0tgm[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\EUCyhuW[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[3].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: rapeflowwj.lat
Source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: crosshuaht.lat
Source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: sustainskelet.lat
Source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: aspecteirs.lat
Source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: energyaffai.lat
Source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: necklacebudi.lat
Source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: discokeyus.lat
Source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: grannyejh.lat
Source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: bellflamre.click
Source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: LPnhqo--pndzrnkjnmnw
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00417496 CryptUnprotectData, 9_2_00417496
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: 9f6ea82062.exe, 00000020.00000002.4069578254.000000006C0DD000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: nss3.pdb@ source: 9f6ea82062.exe, 00000020.00000002.4077186117.000000006C29F000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdb source: skotes.exe, 00000006.00000003.4278061535.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.4281279423.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdbdj~j pj_CorExeMainmscoree.dll source: skotes.exe, 00000006.00000003.4278061535.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.4281279423.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nss3.pdb source: 9f6ea82062.exe, 00000020.00000002.4077186117.000000006C29F000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 5936bfa4af.exe, 0000002C.00000002.3621203518.0000000000192000.00000040.00000001.01000000.00000016.sdmp
Source: Binary string: C:\Admin\Workspace\1766103906\Project\Release\Project.pdb source: 17ce3a84e4.exe, 0000001B.00000003.4436703085.0000000002F46000.00000004.00000800.00020000.00000000.sdmp, 17ce3a84e4.exe, 0000001B.00000000.3007120509.00000000005EC000.00000002.00000001.01000000.0000000F.sdmp, 17ce3a84e4.exe, 0000001B.00000002.4512003521.00000000005EC000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: mozglue.pdb source: 9f6ea82062.exe, 00000020.00000002.4069578254.000000006C0DD000.00000002.00000001.01000000.0000001E.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: number of queries: 1001
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: number of queries: 1001
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_00386304 FindFirstFileExW, 7_2_00386304
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_003863B5 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 7_2_003863B5
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00386304 FindFirstFileExW, 9_2_00386304
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_003863B5 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 9_2_003863B5
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\370821
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\370821\
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov edx, ecx 9_2_0043D0F0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 71B3F069h 9_2_0043D0F0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov esi, eax 9_2_0042A95E
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov byte ptr [edi], al 9_2_0042A95E
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov ecx, eax 9_2_00439170
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx ecx, byte ptr [esp+edi+5602E8D9h] 9_2_0040C1BE
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-0EAF77CFh] 9_2_0042B299
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then cmp dword ptr [edi+ebp*8], 2DA07A80h 9_2_0043D330
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov ebx, edx 9_2_00436460
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 9_2_00417496
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx esi, byte ptr [esp+edx+042DD56Dh] 9_2_0043B4A3
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax] 9_2_00421DC5
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 9_2_0043D580
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 5D0AA591h 9_2_0043B6EA
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov ecx, edx 9_2_0043D690
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov ecx, eax 9_2_0040A800
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], 12BAC918h 9_2_0041780D
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 9_2_00418810
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h 9_2_004398D0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h 9_2_004398D0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov edx, ecx 9_2_004398D0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then jmp dword ptr [004436A4h] 9_2_004158F0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-4B2E9D9Fh] 9_2_004288FA
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov ebx, eax 9_2_004058B0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov ebp, eax 9_2_004058B0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov ecx, eax 9_2_0043D900
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 9_2_004331E0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx esi, byte ptr [esp+edx-29h] 9_2_00409190
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov esi, edx 9_2_00424A40
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov esi, eax 9_2_0042A959
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov byte ptr [edi], al 9_2_0042A959
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+24h] 9_2_0042826A
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000B4h] 9_2_00421221
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx ebp, byte ptr [esp+edi+0Ch] 9_2_004082E0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov word ptr [eax], cx 9_2_004152EC
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx esi, byte ptr [eax] 9_2_00429A80
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov edx, ecx 9_2_0043BAB1
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov byte ptr [ebp+00h], al 9_2_0041CB00
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov byte ptr [edi], cl 9_2_0042C31E
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then call dword ptr [00440DA8h] 9_2_0040CBF6
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then cmp dword ptr [edi+ebp*8], C7235EAFh 9_2_0043D460
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+28h] 9_2_00407410
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 9_2_00407410
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov ecx, eax 9_2_004254C0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then cmp al, 2Eh 9_2_004254E0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov byte ptr [edx], al 9_2_004254E0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-466F3075h] 9_2_004254E0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 9_2_00413CF0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx edx, byte ptr [esi+ecx+60h] 9_2_0040ACB0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 9_2_00428D20
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov byte ptr [esi], al 9_2_00429DE3
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then add ecx, FFFFFFFEh 9_2_00436DF0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov ecx, eax 9_2_00409580
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx eax, byte ptr [esp+ebp+458F1EF1h] 9_2_00409580
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then jmp ecx 9_2_00426D90
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx edx, byte ptr [eax] 9_2_00426D90
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-7B590292h] 9_2_0041FE5F
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx-4B2E9DB5h] 9_2_00427660
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000ABh] 9_2_00414E1A
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx-4B2E9DB5h] 9_2_00427660
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0Eh] 9_2_00427EC0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx ebp, byte ptr [esp+esi-14h] 9_2_00435F70
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0Eh] 9_2_00427726
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov byte ptr [ecx], al 9_2_0040C7AC
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 4x nop then mov byte ptr [ecx], al 9_2_0040C7AC
Source: firefox.exe Memory has grown: Private usage: 1MB later: 179MB

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Malware configuration extractor URLs: grannyejh.lat
Source: Malware configuration extractor URLs: bellflamre.click
Source: Malware configuration extractor URLs: discokeyus.lat
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: necklacebudi.lat
Source: Malware configuration extractor IPs: 185.215.113.43
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 104.21.21.99 104.21.21.99
Source: Joe Sandbox View IP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox View IP Address: 1.1.1.1 1.1.1.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EBE0C0 recv,recv,recv,recv, 0_2_00EBE0C0
Source: 580c9354ec.exe, 0000001F.00000003.4358124840.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: 580c9354ec.exe, 0000001F.00000003.4347342206.0000000001215000.00000004.00000020.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.4360295909.00000000059D2000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.4358124840.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 580c9354ec.exe, 0000001F.00000003.4347342206.0000000001215000.00000004.00000020.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.4358124840.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe?
Source: 580c9354ec.exe, 0000001F.00000003.4358124840.0000000001215000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000BB7000.00000040.00000001.01000000.00000012.sdmp, 9f6ea82062.exe, 00000020.00000002.3929798314.000000000094E000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000024.00000002.4260064567.000000000164D000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000024.00000002.4260064567.00000000015FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: 9f6ea82062.exe, 00000024.00000002.4260064567.000000000164D000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000024.00000002.4260064567.00000000015FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll.
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.3929798314.000000000094E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.000000000094E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dllConneb
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dllllj
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dllg
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllF
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: 9f6ea82062.exe, 00000024.00000002.4260064567.000000000164D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/9
Source: 9f6ea82062.exe, 00000024.00000002.4260064567.000000000164D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/Local
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4054758953.000000000B8E1000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.3929798314.000000000094E000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000024.00000002.4260064567.000000000164D000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000024.00000002.4260064567.00000000015FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 9f6ea82062.exe, 00000024.00000002.4260064567.000000000164D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/a
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php34
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php8
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php;
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.000000000094E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpBrowser
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpP5
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000BB7000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000BB7000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpe13b062b4c5e95f4989d6bd1e553
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000BB7000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpinit.exe
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000BB7000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpl
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000024.00000002.4260064567.000000000164D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpo
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/e
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000BB7000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: http://185.215.113.206/form-data;
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000BB7000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: http://185.215.113.206FCG
Source: 9f6ea82062.exe, 00000024.00000002.4260064567.00000000015FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206b
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000BB7000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: http://185.215.113.206c4becf79229cb002.phpion:
Source: skotes.exe, 00000006.00000003.4278061535.0000000005B63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php8001
Source: EUCyhuW.exe, 00000009.00000003.2853484209.00000000037FD000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3378806018.000000000397D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3603169180.0000000005A83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: EUCyhuW.exe, 00000009.00000003.2853484209.00000000037FD000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3378806018.000000000397D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3603169180.0000000005A83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: skotes.exe, 00000006.00000003.4278061535.0000000005B63000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001C.00000002.3169413863.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 17ce3a84e4.exe, 0000001B.00000003.4498901768.000000000152C000.00000004.00000020.00020000.00000000.sdmp, 17ce3a84e4.exe, 0000001B.00000002.4524131042.000000000152C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mw
Source: EUCyhuW.exe, 00000009.00000003.2853484209.00000000037FD000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3378806018.000000000397D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3603169180.0000000005A83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: skotes.exe, 00000006.00000003.4278061535.0000000005B63000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001C.00000002.3169413863.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: skotes.exe, 00000006.00000003.4278061535.0000000005B63000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001C.00000002.3169413863.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: skotes.exe, 00000006.00000003.4278061535.0000000005B63000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.4278061535.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001C.00000002.3169413863.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: skotes.exe, 00000006.00000003.4278061535.0000000005B63000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.4278061535.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001C.00000002.3169413863.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: EUCyhuW.exe, 00000009.00000003.2853484209.00000000037FD000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3378806018.000000000397D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3603169180.0000000005A83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: EUCyhuW.exe, 00000009.00000003.2853484209.00000000037FD000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3378806018.000000000397D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3603169180.0000000005A83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: EUCyhuW.exe, 00000009.00000003.2853484209.00000000037FD000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3378806018.000000000397D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3603169180.0000000005A83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: EUCyhuW.exe, 00000009.00000003.2853484209.00000000037FD000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3378806018.000000000397D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3603169180.0000000005A83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: skotes.exe, 00000006.00000003.4278061535.0000000005B63000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001C.00000002.3169413863.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: skotes.exe, 00000006.00000003.4278061535.0000000005B63000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001C.00000002.3169413863.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: skotes.exe, 00000006.00000003.4278061535.0000000005B63000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.4278061535.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001C.00000002.3169413863.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: skotes.exe, 00000006.00000003.4278061535.0000000005B63000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.4278061535.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001C.00000002.3169413863.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: SurveillanceWalls.exe, 0000000E.00000002.2860938966.0000000000409000.00000002.00000001.01000000.0000000B.sdmp, SurveillanceWalls.exe, 0000000E.00000000.2852400591.0000000000409000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: skotes.exe, 00000006.00000003.4278061535.0000000005B63000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001C.00000002.3169413863.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: EUCyhuW.exe, 00000009.00000003.2853484209.00000000037FD000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3378806018.000000000397D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3603169180.0000000005A83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: EUCyhuW.exe, 00000009.00000003.2853484209.00000000037FD000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3378806018.000000000397D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3603169180.0000000005A83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: skotes.exe, 00000006.00000003.4278061535.0000000005B63000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.4278061535.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001C.00000002.3169413863.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: SurveillanceWalls.exe, 0000000E.00000002.2860963000.0000000000420000.00000004.00000001.01000000.0000000B.sdmp, Sale.com, 00000018.00000000.2879703042.0000000000855000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: 580c9354ec.exe, 0000001F.00000003.3614760975.00000000011AA000.00000004.00000020.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3572256199.00000000011AA000.00000004.00000020.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3870761939.00000000011AA000.00000004.00000020.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3803442222.00000000011AA000.00000004.00000020.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3927069843.00000000011AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.x
Source: 9f6ea82062.exe, 00000020.00000002.4069578254.000000006C0DD000.00000002.00000001.01000000.0000001E.sdmp String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 9f6ea82062.exe, 00000020.00000002.4047572344.0000000005794000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4066981270.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: EUCyhuW.exe, 00000009.00000003.2853484209.00000000037FD000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3378806018.000000000397D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3603169180.0000000005A83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: EUCyhuW.exe, 00000009.00000003.2853484209.00000000037FD000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3378806018.000000000397D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3603169180.0000000005A83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: EUCyhuW.exe, 00000009.00000003.2805310164.0000000003728000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805076562.000000000372B000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805196036.0000000003728000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3245396945.00000000038AC000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3250034677.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3249885987.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3466602606.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3467960261.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3476918307.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000003.3531478078.00000000009F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: EUCyhuW.exe, 00000009.00000003.2856083987.000000000378F000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3385290739.000000000390D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3641823591.0000000005A5F000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4054758953.000000000B8E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: EUCyhuW.exe, 00000009.00000003.2856083987.000000000378F000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3385290739.000000000390D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3641823591.0000000005A5F000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4054758953.000000000B8E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: EUCyhuW.exe, 00000009.00000003.2805310164.0000000003728000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805076562.000000000372B000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805196036.0000000003728000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3245396945.00000000038AC000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3250034677.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3249885987.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3466602606.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3467960261.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3476918307.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000003.3531478078.00000000009F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: EUCyhuW.exe, 00000009.00000003.2805310164.0000000003728000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805076562.000000000372B000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805196036.0000000003728000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3245396945.00000000038AC000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3250034677.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3249885987.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3466602606.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3467960261.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3476918307.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000003.3531478078.00000000009F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: EUCyhuW.exe, 00000009.00000003.2805310164.0000000003728000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805076562.000000000372B000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805196036.0000000003728000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3245396945.00000000038AC000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3250034677.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3249885987.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3466602606.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3467960261.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3476918307.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000003.3531478078.00000000009F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EUCyhuW.exe, 00000009.00000003.2856083987.000000000378F000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3385290739.000000000390D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3641823591.0000000005A5F000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4054758953.000000000B8E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: EUCyhuW.exe, 00000009.00000003.2856083987.000000000378F000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3385290739.000000000390D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3641823591.0000000005A5F000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4054758953.000000000B8E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: 580c9354ec.exe, 0000001F.00000003.4358124840.0000000001215000.00000004.00000020.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3797185380.0000000001213000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/
Source: EUCyhuW.exe, 00000009.00000002.3138189518.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.3093948172.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/%
Source: EUCyhuW.exe, 00000009.00000003.2804303481.0000000000E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/(
Source: 580c9354ec.exe, 0000001F.00000003.3535631558.0000000005A4E000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3535225334.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/-
Source: EUCyhuW.exe, 00000009.00000003.2804303481.0000000000E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/.
Source: EUCyhuW.exe, 00000009.00000003.2852327758.0000000003784000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2852015292.0000000003784000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2888145590.0000000003784000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2852833290.0000000003784000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/90BH
Source: EUCyhuW.exe, 00000009.00000003.2828355789.0000000003773000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/JJFf
Source: EUCyhuW.exe, 00000009.00000003.2804303481.0000000000E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/Q
Source: EUCyhuW.exe, 00000009.00000003.2804303481.0000000000E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/V
Source: EUCyhuW.exe, 00000009.00000003.2851829493.0000000003787000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.3093424754.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2804303481.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2804303481.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2852265070.000000000378A000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2852327758.0000000003773000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000002.3138189518.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2913644011.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000002.3138169097.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2913722505.0000000000EA9000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2804303481.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2878424864.0000000003791000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.3093424754.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.3093948172.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2877959925.0000000003791000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2852015292.0000000003773000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2930693716.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2913252442.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2852833290.0000000003773000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3694965286.0000000001225000.00000004.00000020.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3614760975.00000000011AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/api
Source: 580c9354ec.exe, 0000001F.00000003.3694965286.0000000001225000.00000004.00000020.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3684252207.0000000001225000.00000004.00000020.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3763354814.0000000001224000.00000004.00000020.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3669275426.0000000001224000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/api/
Source: EUCyhuW.exe, 00000009.00000003.2804303481.0000000000E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/apiH
Source: EUCyhuW.exe, 00000009.00000003.3093424754.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000002.3138189518.0000000000F03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/apiLb
Source: 580c9354ec.exe, 0000001F.00000003.3927069843.00000000011AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/apij
Source: EUCyhuW.exe, 00000009.00000003.2804303481.0000000000E72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/apis
Source: EUCyhuW.exe, 00000009.00000003.2805310164.0000000003728000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805076562.000000000372B000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805196036.0000000003728000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3245396945.00000000038AC000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3250034677.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3249885987.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3466602606.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3467960261.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3476918307.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000003.3531478078.00000000009F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: EUCyhuW.exe, 00000009.00000003.2805310164.0000000003728000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805076562.000000000372B000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805196036.0000000003728000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3245396945.00000000038AC000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3250034677.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3249885987.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3466602606.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3467960261.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3476918307.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000003.3531478078.00000000009F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: EUCyhuW.exe, 00000009.00000003.2805310164.0000000003728000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805076562.000000000372B000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805196036.0000000003728000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3245396945.00000000038AC000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3250034677.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3249885987.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3466602606.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3467960261.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3476918307.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000003.3531478078.00000000009F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 17ce3a84e4.exe, 0000001B.00000002.4524131042.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, 17ce3a84e4.exe, 0000001B.00000003.4498901768.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, 17ce3a84e4.exe, 0000001B.00000003.4498901768.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 17ce3a84e4.exe, 0000001B.00000002.4524131042.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fieldhitty.click/
Source: 17ce3a84e4.exe, 0000001B.00000002.4524131042.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fieldhitty.click/api
Source: 17ce3a84e4.exe, 0000001B.00000003.4498901768.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 17ce3a84e4.exe, 0000001B.00000002.4524131042.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fieldhitty.click/api&
Source: 17ce3a84e4.exe, 0000001B.00000003.4488835946.00000000014C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fieldhitty.click/api9
Source: 17ce3a84e4.exe, 0000001B.00000002.4522542200.00000000014BC000.00000004.00000020.00020000.00000000.sdmp, 17ce3a84e4.exe, 0000001B.00000003.4488835946.00000000014BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fieldhitty.click/apii
Source: 17ce3a84e4.exe, 0000001B.00000003.4498901768.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 17ce3a84e4.exe, 0000001B.00000002.4524131042.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fieldhitty.click/c
Source: 17ce3a84e4.exe, 0000001B.00000002.4524131042.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, 17ce3a84e4.exe, 0000001B.00000003.4498901768.00000000014CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fieldhitty.click:443/api
Source: skotes.exe, 00000006.00000003.4278061535.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.4281279423.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com
Source: skotes.exe, 00000006.00000003.4278061535.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.4281279423.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Urijas/moperats/raw/refs/heads/main/biyjdfjadaw.exe
Source: 9f6ea82062.exe, 00000020.00000002.4054758953.000000000B8E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: 412ec13ac5.exe, 0000001E.00000003.3207231180.000000000111D000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3373433430.00000000038FE000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3622898084.000000000111D000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3298472752.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3551750660.000000000117D000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3412770399.0000000003905000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3592146204.000000000117E000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000002.3657261192.000000000111D000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3412261797.00000000038FC000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3298172128.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000002.3658768402.000000000117E000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3374828427.0000000003905000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3630270875.000000000117E000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3593252563.000000000111D000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3548292393.0000000001176000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pancakedipyps.click/
Source: 412ec13ac5.exe, 0000001E.00000003.3179102375.0000000001139000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pancakedipyps.click/.
Source: 412ec13ac5.exe, 0000001E.00000003.3207422516.0000000001138000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3207231180.000000000111D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pancakedipyps.click/2
Source: 412ec13ac5.exe, 0000001E.00000003.3207422516.0000000001138000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3207231180.000000000111D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pancakedipyps.click/M
Source: 412ec13ac5.exe, 0000001E.00000003.3375729196.0000000003907000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pancakedipyps.click/P
Source: 412ec13ac5.exe, 0000001E.00000003.3630270875.000000000118F000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3207231180.000000000111D000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3589106795.000000000118F000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3298372606.0000000001196000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3467586885.000000000118F000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000002.3658768402.000000000117E000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3548508878.000000000118F000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3630270875.000000000117E000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3593252563.000000000111D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pancakedipyps.click/api
Source: 412ec13ac5.exe, 0000001E.00000003.3632525311.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3622898084.0000000001139000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000002.3658232025.0000000001139000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pancakedipyps.click/api$
Source: 412ec13ac5.exe, 0000001E.00000003.3207422516.0000000001138000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3207231180.000000000111D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pancakedipyps.click/api-
Source: 412ec13ac5.exe, 0000001E.00000002.3659052898.000000000118F000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3630270875.000000000118F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pancakedipyps.click/apiDV
Source: 412ec13ac5.exe, 0000001E.00000002.3659052898.000000000118F000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3630270875.000000000118F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pancakedipyps.click/apiIV
Source: 412ec13ac5.exe, 0000001E.00000003.3551750660.000000000117D000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3592146204.000000000117E000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3548292393.0000000001176000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pancakedipyps.click/pi
Source: 412ec13ac5.exe, 0000001E.00000003.3438661334.000000000390E000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3596871072.000000000390E000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3452315135.000000000390E000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3480531158.000000000390E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pancakedipyps.click:443/api
Source: 412ec13ac5.exe, 0000001E.00000003.3412770399.000000000390E000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3548818763.000000000390E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pancakedipyps.click:443/api(
Source: skotes.exe, 00000006.00000003.4278061535.0000000005B63000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.4278061535.0000000005B81000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001C.00000002.3169413863.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: 9f6ea82062.exe, 00000020.00000003.3834740498.000000000BA2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 580c9354ec.exe, 0000001F.00000003.3627062430.00000000060B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 9f6ea82062.exe, 00000020.00000003.3834740498.000000000BA2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: EUCyhuW.exe, 00000009.00000003.2856083987.000000000378F000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3385290739.000000000390D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3641823591.0000000005A5F000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4054758953.000000000B8E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: EUCyhuW.exe, 00000009.00000003.2856083987.000000000378F000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3385290739.000000000390D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3641823591.0000000005A5F000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4054758953.000000000B8E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: EUCyhuW.exe, 00000009.00000003.2805310164.0000000003728000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805076562.000000000372B000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805196036.0000000003728000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3245396945.00000000038AC000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3250034677.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3249885987.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3466602606.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3467960261.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3476918307.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000003.3531478078.00000000009F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: EUCyhuW.exe, 00000009.00000003.2805310164.0000000003728000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805076562.000000000372B000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805196036.0000000003728000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3245396945.00000000038AC000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3250034677.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3249885987.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3466602606.0000000005A0D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3467960261.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3476918307.0000000005A0A000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000003.3531478078.00000000009F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp, 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000BB7000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: 9f6ea82062.exe, 00000020.00000003.3834740498.000000000BA2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000BB7000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp, 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000BB7000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: 9f6ea82062.exe, 00000020.00000003.3834740498.000000000BA2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: EUCyhuW.exe, 00000009.00000003.2855580387.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3382726374.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3627062430.00000000060B2000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000003.3834740498.000000000BA2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 9f6ea82062.exe, 00000020.00000003.3834740498.000000000BA2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: EUCyhuW.exe, 00000009.00000003.2855580387.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3382726374.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3627062430.00000000060B2000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000003.3834740498.000000000BA2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: EUCyhuW.exe, 00000009.00000003.2855580387.0000000003A15000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3382726374.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3627062430.00000000060B2000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000003.3834740498.000000000BA2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000031.00000002.3493824464.000001D0EF6B0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3494265817.000001D0F10A0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000031.00000003.3492499042.000001D0EF6CD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3493939340.000001D0EF6D2000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000032.00000003.3804628103.000000000177B000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000032.00000003.3808584450.000000000177B000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000032.00000003.3727043148.0000000001577000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000032.00000003.3830810642.000000000177B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000031.00000002.3493824464.000001D0EF6BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: 51ecf08926.exe, 00000021.00000003.3535624044.00000000016DF000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3527139592.00000000016DF000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3405370218.00000000016DA000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3581429163.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3587715027.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3490233583.00000000016DA000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000002.3629103561.00000000016FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdQ
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00431160 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 9_2_00431160
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00431160 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 9_2_00431160
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00431705 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 9_2_00431705

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 51ecf08926.exe, 00000021.00000000.3354831484.00000000004A2000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_1d007e67-1
Source: 51ecf08926.exe, 00000021.00000000.3354831484.00000000004A2000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_6610fd3f-6
Source: 51ecf08926.exe, 00000032.00000000.3491748335.00000000004A2000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_01ad68a9-e
Source: 51ecf08926.exe, 00000032.00000000.3491748335.00000000004A2000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_dc7d74f3-7
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: .idata
Source: random[1].exe1.6.dr Static PE information: section name:
Source: 580c9354ec.exe.6.dr Static PE information: section name:
Source: 580c9354ec.exe.6.dr Static PE information: section name: .idata
Source: 580c9354ec.exe.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: 9f6ea82062.exe.6.dr Static PE information: section name:
Source: 9f6ea82062.exe.6.dr Static PE information: section name: .idata
Source: random[2].exe0.6.dr Static PE information: section name:
Source: random[2].exe0.6.dr Static PE information: section name: .idata
Source: 5936bfa4af.exe.6.dr Static PE information: section name:
Source: 5936bfa4af.exe.6.dr Static PE information: section name: .idata
Source: random[2].exe2.6.dr Static PE information: section name:
Source: random[2].exe2.6.dr Static PE information: section name: .idata
Source: random[2].exe2.6.dr Static PE information: section name:
Source: a53907268b.exe.6.dr Static PE information: section name:
Source: a53907268b.exe.6.dr Static PE information: section name: .idata
Source: a53907268b.exe.6.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe File created: C:\Windows\KrugerPowers
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe File created: C:\Windows\GradVitamins
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe File created: C:\Windows\ScienceCom
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe File created: C:\Windows\FarmingDesignation
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe File created: C:\Windows\OmissionsEmerald
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe File created: C:\Windows\BaconTicket
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe File created: C:\Windows\RenewableProgramme
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe File created: C:\Windows\SodiumLegend
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EF78BB 0_2_00EF78BB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EF8860 0_2_00EF8860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EF7049 0_2_00EF7049
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EF31A8 0_2_00EF31A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FC7B6E 0_2_00FC7B6E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB4B30 0_2_00EB4B30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EB4DE0 0_2_00EB4DE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EF2D10 0_2_00EF2D10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EF779B 0_2_00EF779B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EE7F36 0_2_00EE7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00708860 2_2_00708860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00707049 2_2_00707049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_007078BB 2_2_007078BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_007031A8 2_2_007031A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_006C4B30 2_2_006C4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00702D10 2_2_00702D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_006C4DE0 2_2_006C4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_006F7F36 2_2_006F7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_0070779B 2_2_0070779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_00708860 3_2_00708860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_00707049 3_2_00707049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_007078BB 3_2_007078BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_007031A8 3_2_007031A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_006C4B30 3_2_006C4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_00702D10 3_2_00702D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_006C4DE0 3_2_006C4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_006F7F36 3_2_006F7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_0070779B 3_2_0070779B
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_00361000 7_2_00361000
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_00378741 7_2_00378741
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_0037E930 7_2_0037E930
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_0038BA42 7_2_0038BA42
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_00379B40 7_2_00379B40
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_00389C73 7_2_00389C73
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_00373CDF 7_2_00373CDF
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00361000 9_2_00361000
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00378741 9_2_00378741
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0037E930 9_2_0037E930
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0038BA42 9_2_0038BA42
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00379B40 9_2_00379B40
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00389C73 9_2_00389C73
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00373CDF 9_2_00373CDF
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00436080 9_2_00436080
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0042A95E 9_2_0042A95E
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00439170 9_2_00439170
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_004251C0 9_2_004251C0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0042B299 9_2_0042B299
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0042BA99 9_2_0042BA99
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00436460 9_2_00436460
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0041042D 9_2_0041042D
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0040D4C5 9_2_0040D4C5
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00417496 9_2_00417496
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043B4A3 9_2_0043B4A3
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00421DC5 9_2_00421DC5
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043B6EA 9_2_0043B6EA
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043D690 9_2_0043D690
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043DF40 9_2_0043DF40
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043AF5D 9_2_0043AF5D
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00408760 9_2_00408760
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0041FF00 9_2_0041FF00
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00435870 9_2_00435870
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0040A800 9_2_0040A800
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0041780D 9_2_0041780D
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00418810 9_2_00418810
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_004038D0 9_2_004038D0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_004398D0 9_2_004398D0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_004088E0 9_2_004088E0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_004058B0 9_2_004058B0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043D900 9_2_0043D900
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00435124 9_2_00435124
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00409190 9_2_00409190
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0041C190 9_2_0041C190
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_004061A0 9_2_004061A0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_004089B0 9_2_004089B0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00424A40 9_2_00424A40
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00419A60 9_2_00419A60
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0042A959 9_2_0042A959
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00433A00 9_2_00433A00
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00421221 9_2_00421221
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_004272D2 9_2_004272D2
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00420AD0 9_2_00420AD0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00435AD0 9_2_00435AD0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00404280 9_2_00404280
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00416292 9_2_00416292
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0042DB62 9_2_0042DB62
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0041CB00 9_2_0041CB00
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00415B32 9_2_00415B32
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043CB30 9_2_0043CB30
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00404BC0 9_2_00404BC0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_004263C7 9_2_004263C7
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0040EBCD 9_2_0040EBCD
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043DBE0 9_2_0043DBE0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0040CC41 9_2_0040CC41
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0042D46A 9_2_0042D46A
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00407410 9_2_00407410
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_004254C0 9_2_004254C0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00430CC0 9_2_00430CC0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00416CD2 9_2_00416CD2
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_004254E0 9_2_004254E0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00413CF0 9_2_00413CF0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043C4A0 9_2_0043C4A0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0040ACB0 9_2_0040ACB0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0042656B 9_2_0042656B
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00423D32 9_2_00423D32
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_004395E0 9_2_004395E0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00436DF0 9_2_00436DF0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00409580 9_2_00409580
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00426D90 9_2_00426D90
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043C590 9_2_0043C590
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0041C5A0 9_2_0041C5A0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00405E00 9_2_00405E00
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0040F617 9_2_0040F617
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00406630 9_2_00406630
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00427EC0 9_2_00427EC0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00402ED0 9_2_00402ED0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_004246E0 9_2_004246E0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00408E90 9_2_00408E90
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0041AE90 9_2_0041AE90
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043C690 9_2_0043C690
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00417E95 9_2_00417E95
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0041BEA0 9_2_0041BEA0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00419760 9_2_00419760
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00414770 9_2_00414770
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0041DF70 9_2_0041DF70
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0042EF10 9_2_0042EF10
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00430F10 9_2_00430F10
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00410F14 9_2_00410F14
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043471B 9_2_0043471B
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00427726 9_2_00427726
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043C730 9_2_0043C730
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043C7C0 9_2_0043C7C0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00EC80C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 006DDF80 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 006D80C0 appears 260 times
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: String function: 003814C4 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: String function: 0037D05E appears 42 times
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: String function: 00413CE0 appears 73 times
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: String function: 003741E0 appears 94 times
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: String function: 00407FD0 appears 48 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 304
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: EUCyhuW[1].exe.6.dr Static PE information: Section: .bss ZLIB complexity 1.0003407005613125
Source: EUCyhuW.exe.6.dr Static PE information: Section: .bss ZLIB complexity 1.0003407005613125
Source: random[1].exe0.6.dr Static PE information: Section: .bss ZLIB complexity 1.0003343485169491
Source: random[1].exe0.6.dr Static PE information: Section: .bss ZLIB complexity 1.0003343485169491
Source: 412ec13ac5.exe.6.dr Static PE information: Section: .bss ZLIB complexity 1.0003343485169491
Source: 412ec13ac5.exe.6.dr Static PE information: Section: .bss ZLIB complexity 1.0003343485169491
Source: random[1].exe1.6.dr Static PE information: Section: ZLIB complexity 0.9973980629280822
Source: random[1].exe1.6.dr Static PE information: Section: gysvhwxe ZLIB complexity 0.9946611807036247
Source: 580c9354ec.exe.6.dr Static PE information: Section: ZLIB complexity 0.9973980629280822
Source: 580c9354ec.exe.6.dr Static PE information: Section: gysvhwxe ZLIB complexity 0.9946611807036247
Source: random[2].exe2.6.dr Static PE information: Section: ZLIB complexity 0.9974582619863014
Source: random[2].exe2.6.dr Static PE information: Section: wekcazbo ZLIB complexity 0.9943740803274977
Source: a53907268b.exe.6.dr Static PE information: Section: ZLIB complexity 0.9974582619863014
Source: a53907268b.exe.6.dr Static PE information: Section: wekcazbo ZLIB complexity 0.9943740803274977
Source: random[2].exe0.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 5936bfa4af.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@114/80@0/21
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00436460 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW, 9_2_00436460
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\EUCyhuW[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6496
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6364:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:64:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe System information queried: HandleInformation
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 9f6ea82062.exe, 00000020.00000002.4077186117.000000006C29F000.00000002.00000001.01000000.0000001D.sdmp, 9f6ea82062.exe, 00000020.00000002.4047572344.0000000005794000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4065557935.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 9f6ea82062.exe, 00000020.00000002.4077186117.000000006C29F000.00000002.00000001.01000000.0000001D.sdmp, 9f6ea82062.exe, 00000020.00000002.4047572344.0000000005794000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4065557935.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 9f6ea82062.exe, 00000020.00000002.4077186117.000000006C29F000.00000002.00000001.01000000.0000001D.sdmp, 9f6ea82062.exe, 00000020.00000002.4047572344.0000000005794000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4065557935.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 9f6ea82062.exe, 00000020.00000002.4077186117.000000006C29F000.00000002.00000001.01000000.0000001D.sdmp, 9f6ea82062.exe, 00000020.00000002.4047572344.0000000005794000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4065557935.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 9f6ea82062.exe, 00000020.00000002.4077186117.000000006C29F000.00000002.00000001.01000000.0000001D.sdmp, 9f6ea82062.exe, 00000020.00000002.4047572344.0000000005794000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4065557935.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 9f6ea82062.exe, 00000020.00000002.4077186117.000000006C29F000.00000002.00000001.01000000.0000001D.sdmp, 9f6ea82062.exe, 00000020.00000002.4047572344.0000000005794000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4065557935.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 9f6ea82062.exe, 00000020.00000002.4047572344.0000000005794000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4065557935.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: EUCyhuW.exe, 00000009.00000003.2805649505.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2805476460.0000000003716000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3342590857.0000000003912000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3250195439.0000000003897000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3333980226.000000000387F000.00000004.00000800.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3250778707.000000000387A000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3488469343.00000000059F8000.00000004.00000800.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3492015539.00000000059DD000.00000004.00000800.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000003.3678574025.000000000563C000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000003.3530217719.0000000005648000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 9f6ea82062.exe, 00000020.00000002.4047572344.0000000005794000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4065557935.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 9f6ea82062.exe, 00000020.00000002.4047572344.0000000005794000.00000004.00000020.00020000.00000000.sdmp, 9f6ea82062.exe, 00000020.00000002.4065557935.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe Virustotal: Detection: 58%
Source: file.exe ReversingLabs: Detection: 55%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe "C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe"
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Process created: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe "C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe"
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 304
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe "C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe"
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Campbell Campbell.cmd & Campbell.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 370821
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Anchor" Veterinary
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Genre + ..\Mj + ..\Discs + ..\Receiving + ..\Mysterious + ..\Aka w
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\370821\Sale.com Sale.com w
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019563001\hYW0tgm.exe "C:\Users\user\AppData\Local\Temp\1019563001\hYW0tgm.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe "C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe "C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe"
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Process created: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe "C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe "C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe "C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe "C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe"
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe "C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe"
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1916,i,5817995298996924960,10670888794113214286,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe "C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe"
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe "C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe"
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe "C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe "C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019563001\hYW0tgm.exe "C:\Users\user\AppData\Local\Temp\1019563001\hYW0tgm.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe "C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe "C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe "C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe "C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe "C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe "C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Process created: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe "C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Campbell Campbell.cmd & Campbell.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 370821
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Anchor" Veterinary
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Genre + ..\Mj + ..\Discs + ..\Receiving + ..\Mysterious + ..\Aka w
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\370821\Sale.com Sale.com w
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Process created: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe "C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe"
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1916,i,5817995298996924960,10670888794113214286,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1019563001\hYW0tgm.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019563001\hYW0tgm.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 3321344 > 1048576
Source: file.exe Static PE information: Raw size of jxvuvlsp is bigger than: 0x100000 < 0x2bee00
Source: Binary string: mozglue.pdbP source: 9f6ea82062.exe, 00000020.00000002.4069578254.000000006C0DD000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: nss3.pdb@ source: 9f6ea82062.exe, 00000020.00000002.4077186117.000000006C29F000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdb source: skotes.exe, 00000006.00000003.4278061535.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.4281279423.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdbdj~j pj_CorExeMainmscoree.dll source: skotes.exe, 00000006.00000003.4278061535.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.4281279423.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nss3.pdb source: 9f6ea82062.exe, 00000020.00000002.4077186117.000000006C29F000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 5936bfa4af.exe, 0000002C.00000002.3621203518.0000000000192000.00000040.00000001.01000000.00000016.sdmp
Source: Binary string: C:\Admin\Workspace\1766103906\Project\Release\Project.pdb source: 17ce3a84e4.exe, 0000001B.00000003.4436703085.0000000002F46000.00000004.00000800.00020000.00000000.sdmp, 17ce3a84e4.exe, 0000001B.00000000.3007120509.00000000005EC000.00000002.00000001.01000000.0000000F.sdmp, 17ce3a84e4.exe, 0000001B.00000002.4512003521.00000000005EC000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: mozglue.pdb source: 9f6ea82062.exe, 00000020.00000002.4069578254.000000006C0DD000.00000002.00000001.01000000.0000001E.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.eb0000.0.unpack :EW;.rsrc:W;.idata :W;jxvuvlsp:EW;mchtvxnx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;jxvuvlsp:EW;mchtvxnx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.6c0000.0.unpack :EW;.rsrc:W;.idata :W;jxvuvlsp:EW;mchtvxnx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;jxvuvlsp:EW;mchtvxnx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 3.2.skotes.exe.6c0000.0.unpack :EW;.rsrc:W;.idata :W;jxvuvlsp:EW;mchtvxnx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;jxvuvlsp:EW;mchtvxnx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Unpacked PE file: 32.2.9f6ea82062.exe.a50000.0.unpack :EW;.rsrc:W;.idata :W;snxelege:EW;ykhzuyiy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;snxelege:EW;ykhzuyiy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Unpacked PE file: 36.2.9f6ea82062.exe.a50000.0.unpack :EW;.rsrc:W;.idata :W;snxelege:EW;ykhzuyiy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;snxelege:EW;ykhzuyiy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Unpacked PE file: 44.2.5936bfa4af.exe.190000.0.unpack :EW;.rsrc:W;.idata :W;fsnanlnd:EW;vmzqagxo:EW;.taggant:EW; vs :ER;.rsrc:W;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: 647da3efc5.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x7aa07
Source: random[1].exe2.6.dr Static PE information: real checksum: 0x2c9641 should be: 0x2d370e
Source: SurveillanceWalls.exe.6.dr Static PE information: real checksum: 0x13aed5 should be: 0x14afb9
Source: skotes.exe.0.dr Static PE information: real checksum: 0x334264 should be: 0x3300db
Source: 412ec13ac5.exe.6.dr Static PE information: real checksum: 0x0 should be: 0xc8597
Source: random[2].exe2.6.dr Static PE information: real checksum: 0x1d4149 should be: 0x1d15dc
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x0 should be: 0xc8597
Source: 9f6ea82062.exe.6.dr Static PE information: real checksum: 0x2c9641 should be: 0x2d370e
Source: 580c9354ec.exe.6.dr Static PE information: real checksum: 0x1ca3fb should be: 0x1cf3ec
Source: hYW0tgm[1].exe.6.dr Static PE information: real checksum: 0x0 should be: 0x5958b
Source: random[2].exe0.6.dr Static PE information: real checksum: 0x2b2e8b should be: 0x2b4359
Source: 5936bfa4af.exe.6.dr Static PE information: real checksum: 0x2b2e8b should be: 0x2b4359
Source: random[1].exe1.6.dr Static PE information: real checksum: 0x1ca3fb should be: 0x1cf3ec
Source: SurveillanceWalls[1].exe.6.dr Static PE information: real checksum: 0x13aed5 should be: 0x14afb9
Source: hYW0tgm.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x5958b
Source: random[3].exe0.6.dr Static PE information: real checksum: 0x0 should be: 0x9f7ff
Source: random[2].exe1.6.dr Static PE information: real checksum: 0x0 should be: 0x7aa07
Source: file.exe Static PE information: real checksum: 0x334264 should be: 0x3300db
Source: 0c0e50df68.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x9f7ff
Source: a53907268b.exe.6.dr Static PE information: real checksum: 0x1d4149 should be: 0x1d15dc
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: jxvuvlsp
Source: file.exe Static PE information: section name: mchtvxnx
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name: jxvuvlsp
Source: skotes.exe.0.dr Static PE information: section name: mchtvxnx
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name: .fptable
Source: 17ce3a84e4.exe.6.dr Static PE information: section name: .fptable
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: .idata
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: gysvhwxe
Source: random[1].exe1.6.dr Static PE information: section name: isftafyi
Source: random[1].exe1.6.dr Static PE information: section name: .taggant
Source: 580c9354ec.exe.6.dr Static PE information: section name:
Source: 580c9354ec.exe.6.dr Static PE information: section name: .idata
Source: 580c9354ec.exe.6.dr Static PE information: section name:
Source: 580c9354ec.exe.6.dr Static PE information: section name: gysvhwxe
Source: 580c9354ec.exe.6.dr Static PE information: section name: isftafyi
Source: 580c9354ec.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: random[1].exe2.6.dr Static PE information: section name: snxelege
Source: random[1].exe2.6.dr Static PE information: section name: ykhzuyiy
Source: random[1].exe2.6.dr Static PE information: section name: .taggant
Source: 9f6ea82062.exe.6.dr Static PE information: section name:
Source: 9f6ea82062.exe.6.dr Static PE information: section name: .idata
Source: 9f6ea82062.exe.6.dr Static PE information: section name: snxelege
Source: 9f6ea82062.exe.6.dr Static PE information: section name: ykhzuyiy
Source: 9f6ea82062.exe.6.dr Static PE information: section name: .taggant
Source: random[2].exe0.6.dr Static PE information: section name:
Source: random[2].exe0.6.dr Static PE information: section name: .idata
Source: random[2].exe0.6.dr Static PE information: section name: fsnanlnd
Source: random[2].exe0.6.dr Static PE information: section name: vmzqagxo
Source: random[2].exe0.6.dr Static PE information: section name: .taggant
Source: 5936bfa4af.exe.6.dr Static PE information: section name:
Source: 5936bfa4af.exe.6.dr Static PE information: section name: .idata
Source: 5936bfa4af.exe.6.dr Static PE information: section name: fsnanlnd
Source: 5936bfa4af.exe.6.dr Static PE information: section name: vmzqagxo
Source: 5936bfa4af.exe.6.dr Static PE information: section name: .taggant
Source: random[2].exe2.6.dr Static PE information: section name:
Source: random[2].exe2.6.dr Static PE information: section name: .idata
Source: random[2].exe2.6.dr Static PE information: section name:
Source: random[2].exe2.6.dr Static PE information: section name: wekcazbo
Source: random[2].exe2.6.dr Static PE information: section name: ttllozcv
Source: random[2].exe2.6.dr Static PE information: section name: .taggant
Source: a53907268b.exe.6.dr Static PE information: section name:
Source: a53907268b.exe.6.dr Static PE information: section name: .idata
Source: a53907268b.exe.6.dr Static PE information: section name:
Source: a53907268b.exe.6.dr Static PE information: section name: wekcazbo
Source: a53907268b.exe.6.dr Static PE information: section name: ttllozcv
Source: a53907268b.exe.6.dr Static PE information: section name: .taggant
Source: msvcp140[1].dll.32.dr Static PE information: section name: .didat
Source: nss3.dll.32.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.32.dr Static PE information: section name: .00cfg
Source: softokn3.dll.32.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.32.dr Static PE information: section name: .00cfg
Source: freebl3.dll.32.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.32.dr Static PE information: section name: .00cfg
Source: mozglue.dll.32.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.32.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.32.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ECD91C push ecx; ret 0_2_00ECD92F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EC1359 push es; ret 0_2_00EC135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_006DD91C push ecx; ret 2_2_006DD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_006DD91C push ecx; ret 3_2_006DD92F
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_00374303 push ecx; ret 7_2_00374316
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00374303 push ecx; ret 9_2_00374316
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043C3F0 push eax; mov dword ptr [esp], 060504D3h 9_2_0043C3F5
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00439550 push eax; mov dword ptr [esp], D1D2D3D4h 9_2_0043955E
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0044251C pushad ; iretd 9_2_004425A3
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_004455EC push esp; ret 9_2_004455ED
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_004457A4 push ecx; ret 9_2_004457A5
Source: file.exe Static PE information: section name: entropy: 7.068382572685461
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.068382572685461
Source: random[1].exe1.6.dr Static PE information: section name: entropy: 7.986802269379311
Source: random[1].exe1.6.dr Static PE information: section name: gysvhwxe entropy: 7.954266433248045
Source: 580c9354ec.exe.6.dr Static PE information: section name: entropy: 7.986802269379311
Source: 580c9354ec.exe.6.dr Static PE information: section name: gysvhwxe entropy: 7.954266433248045
Source: random[2].exe2.6.dr Static PE information: section name: entropy: 7.980952558000639
Source: random[2].exe2.6.dr Static PE information: section name: wekcazbo entropy: 7.952954751128578
Source: a53907268b.exe.6.dr Static PE information: section name: entropy: 7.980952558000639
Source: a53907268b.exe.6.dr Static PE information: section name: wekcazbo entropy: 7.952954751128578

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\370821\Sale.com Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019603001\d0c6b9d6b8.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[3].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[2].exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\370821\Sale.com Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019602001\647da3efc5.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019601001\a53907268b.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019604001\0c0e50df68.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\hYW0tgm[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\EUCyhuW[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\SurveillanceWalls[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019563001\hYW0tgm.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 580c9354ec.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9f6ea82062.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 51ecf08926.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1ba4718074.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5936bfa4af.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 408fbd4e57.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dfe1c8ec1f.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9e7a844ab2.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Window searched: window name: Regmonclass
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 580c9354ec.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 580c9354ec.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9f6ea82062.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9f6ea82062.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 51ecf08926.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 51ecf08926.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5936bfa4af.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5936bfa4af.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1ba4718074.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1ba4718074.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 408fbd4e57.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 408fbd4e57.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9e7a844ab2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9e7a844ab2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dfe1c8ec1f.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dfe1c8ec1f.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108779D second address: 10877A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109F2D3 second address: 109F2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109F2D7 second address: 109F2F0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8F4CECCCE6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jg 00007F8F4CECCCE6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109F2F0 second address: 109F30A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C50240Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F8F4C50240Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109F5EE second address: 109F5F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109F5F8 second address: 109F607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jl 00007F8F4C502406h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109F76A second address: 109F770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109F770 second address: 109F774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109F774 second address: 109F778 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109F778 second address: 109F784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109F784 second address: 109F788 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109FA5F second address: 109FA97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8F4C502417h 0x0000000b popad 0x0000000c push esi 0x0000000d jnl 00007F8F4C502406h 0x00000013 pop esi 0x00000014 popad 0x00000015 pushad 0x00000016 push edi 0x00000017 jnl 00007F8F4C502406h 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 jo 00007F8F4C502406h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109FA97 second address: 109FA9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109FBDE second address: 109FBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109FBE4 second address: 109FBE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109FBE8 second address: 109FBF4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnc 00007F8F4C502406h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A17F2 second address: 10A17F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A17F8 second address: 10A17FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A17FC second address: 10A18C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007F8F4CECCCF9h 0x0000000f jmp 00007F8F4CECCCF3h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push esi 0x00000019 jmp 00007F8F4CECCCF9h 0x0000001e pop esi 0x0000001f mov eax, dword ptr [eax] 0x00000021 push ecx 0x00000022 push eax 0x00000023 push esi 0x00000024 pop esi 0x00000025 pop eax 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b push ebx 0x0000002c pushad 0x0000002d jmp 00007F8F4CECCCF8h 0x00000032 js 00007F8F4CECCCE6h 0x00000038 popad 0x00000039 pop ebx 0x0000003a pop eax 0x0000003b mov dx, 72DBh 0x0000003f and ecx, dword ptr [ebp+122D2CEDh] 0x00000045 lea ebx, dword ptr [ebp+12456477h] 0x0000004b jmp 00007F8F4CECCCEDh 0x00000050 xchg eax, ebx 0x00000051 jbe 00007F8F4CECCCECh 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b jmp 00007F8F4CECCCF5h 0x00000060 jmp 00007F8F4CECCCF1h 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A18C1 second address: 10A18CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F8F4C502406h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A18F8 second address: 10A18FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A18FC second address: 10A191A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F8F4C50240Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F8F4C502408h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A191A second address: 10A1951 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D2F75h], edx 0x00000010 push 00000000h 0x00000012 cmc 0x00000013 call 00007F8F4CECCCE9h 0x00000018 jp 00007F8F4CECCCEEh 0x0000001e push eax 0x0000001f pushad 0x00000020 pushad 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A1951 second address: 10A1982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8F4C50240Eh 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F8F4C502413h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A1982 second address: 10A19A6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F4CECCCE8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jmp 00007F8F4CECCCF2h 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A19A6 second address: 10A19B0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8F4C50240Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A19B0 second address: 10A19C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A19C0 second address: 10A19C6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A19C6 second address: 10A1A42 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov dword ptr [ebp+122D3611h], edi 0x0000000f push 00000003h 0x00000011 jmp 00007F8F4CECCCEDh 0x00000016 push 00000000h 0x00000018 call 00007F8F4CECCCF8h 0x0000001d jne 00007F8F4CECCCECh 0x00000023 xor ecx, 5EAD6C00h 0x00000029 pop edi 0x0000002a jmp 00007F8F4CECCCEEh 0x0000002f push 00000003h 0x00000031 jmp 00007F8F4CECCCF9h 0x00000036 push 73BBFCF5h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jl 00007F8F4CECCCE6h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A1A42 second address: 10A1A7D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 add dword ptr [esp], 4C44030Bh 0x0000000e mov dword ptr [ebp+122D1E61h], eax 0x00000014 lea ebx, dword ptr [ebp+12456482h] 0x0000001a jp 00007F8F4C50240Ch 0x00000020 push eax 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F8F4C502411h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B3EB4 second address: 10B3EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 jmp 00007F8F4CECCCF4h 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007F8F4CECCCE6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C3E4D second address: 10C3E51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C3E51 second address: 10C3E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8F4CECCCE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F8F4CECCCE6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C3E67 second address: 10C3E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C3E6B second address: 10C3E6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1084154 second address: 108416B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 je 00007F8F4C502406h 0x0000000f jl 00007F8F4C502406h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C1D14 second address: 10C1D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C1D1C second address: 10C1D20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C1E6F second address: 10C1EB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF9h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F8F4CECCCF9h 0x00000011 pushad 0x00000012 popad 0x00000013 jnc 00007F8F4CECCCE6h 0x00000019 popad 0x0000001a pop ebx 0x0000001b pushad 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C1EB6 second address: 10C1EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8F4C502406h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C1EC4 second address: 10C1ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C22DD second address: 10C22EB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8F4C502406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C22EB second address: 10C22EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C22EF second address: 10C2305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jmp 00007F8F4C50240Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C2305 second address: 10C230A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C230A second address: 10C231C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jne 00007F8F4C502406h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C2746 second address: 10C274D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C274D second address: 10C2761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F4C502410h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C2761 second address: 10C277D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8F4CECCCE6h 0x00000008 jmp 00007F8F4CECCCEFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C28C3 second address: 10C28CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C28CB second address: 10C28D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8F4CECCCE6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C2A34 second address: 10C2A3A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C2A3A second address: 10C2A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jnl 00007F8F4CECCCE6h 0x00000011 jmp 00007F8F4CECCCF6h 0x00000016 popad 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B62D0 second address: 10B62D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B62D4 second address: 10B62E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F8F4CECCCE6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B62E3 second address: 10B62FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8F4C502406h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jg 00007F8F4C502406h 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B62FA second address: 10B62FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1097F5E second address: 1097F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8F4C50240Bh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1097F70 second address: 1097F76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C39C1 second address: 10C39C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C39C8 second address: 10C39D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F8F4CECCCE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C3C63 second address: 10C3C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C3C69 second address: 10C3C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C3C74 second address: 10C3C96 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F4C50240Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F8F4C50240Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C3C96 second address: 10C3C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C3C9E second address: 10C3CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C9354 second address: 10C93A5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8F4CECCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007F8F4CECCCF9h 0x00000010 pop edi 0x00000011 jmp 00007F8F4CECCCEDh 0x00000016 jmp 00007F8F4CECCCF0h 0x0000001b popad 0x0000001c je 00007F8F4CECCCFEh 0x00000022 push eax 0x00000023 push edx 0x00000024 jl 00007F8F4CECCCE6h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C93A5 second address: 10C93A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10CD1EB second address: 10CD1F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10CD1F1 second address: 10CD1F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10CD1F7 second address: 10CD217 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jc 00007F8F4CECCCECh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10CD217 second address: 10CD269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jp 00007F8F4C502406h 0x0000000b pop ebx 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007F8F4C50240Dh 0x00000016 mov eax, dword ptr [eax] 0x00000018 jnp 00007F8F4C502412h 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jns 00007F8F4C50241Ah 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10CD39C second address: 10CD3A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10CD3A7 second address: 10CD3BA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8F4C502406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jns 00007F8F4C502406h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D1165 second address: 10D116D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D116D second address: 10D1188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F8F4C502413h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D1188 second address: 10D11A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F4CECCCF2h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D11A6 second address: 10D11B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8F4C502406h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D11B0 second address: 10D11B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D11B4 second address: 10D11C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F8F4C50240Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D11C6 second address: 10D11FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8F4CECCCF4h 0x00000008 jno 00007F8F4CECCCE6h 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F8F4CECCCF4h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108C53A second address: 108C53E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D4098 second address: 10D409E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D4C9A second address: 10D4C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D4C9F second address: 10D4CA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F8F4CECCCE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D4DBE second address: 10D4DC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F8F4C502406h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D4DC8 second address: 10D4DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D4DCC second address: 10D4DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D4DDA second address: 10D4DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D4F90 second address: 10D4F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D4F95 second address: 10D4F9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D505C second address: 10D5066 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8F4C502406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D529D second address: 10D52D1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8F4CECCCE8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F8F4CECCCF3h 0x00000012 xchg eax, ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F8F4CECCCEDh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D52D1 second address: 10D52D7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D52D7 second address: 10D52EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8F4CECCCF0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D52EC second address: 10D52F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D52F9 second address: 10D52FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D582A second address: 10D5830 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D5830 second address: 10D583E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F4CECCCEAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D583E second address: 10D5842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D7317 second address: 10D731D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D7967 second address: 10D796D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D8B9A second address: 10D8BA8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8F4CECCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D8326 second address: 10D832A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DA21D second address: 10DA223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D9F99 second address: 10D9F9F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DB549 second address: 10DB54D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DBFCF second address: 10DBFD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DBFD3 second address: 10DC009 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8F4CECCCF0h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DED85 second address: 10DED8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DED8B second address: 10DEE0F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8F4CECCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F8F4CECCCF0h 0x00000012 nop 0x00000013 xor bl, FFFFFFBAh 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007F8F4CECCCE8h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 call 00007F8F4CECCCE8h 0x0000003c pop ebx 0x0000003d mov dword ptr [esp+04h], ebx 0x00000041 add dword ptr [esp+04h], 00000018h 0x00000049 inc ebx 0x0000004a push ebx 0x0000004b ret 0x0000004c pop ebx 0x0000004d ret 0x0000004e mov dword ptr [ebp+12450DF3h], ecx 0x00000054 jng 00007F8F4CECCCEDh 0x0000005a pushad 0x0000005b movzx ebx, di 0x0000005e pushad 0x0000005f popad 0x00000060 popad 0x00000061 push eax 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 js 00007F8F4CECCCE6h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DFCE2 second address: 10DFCE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DFCE6 second address: 10DFD79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a movzx ebx, bx 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F8F4CECCCE8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 mov dword ptr [ebp+124678DFh], ebx 0x0000002f mov dword ptr [ebp+12450DF3h], eax 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007F8F4CECCCE8h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 00000018h 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 mov bx, dx 0x00000054 sub dword ptr [ebp+12451F65h], esi 0x0000005a xchg eax, esi 0x0000005b pushad 0x0000005c push eax 0x0000005d jmp 00007F8F4CECCCF4h 0x00000062 pop eax 0x00000063 jns 00007F8F4CECCCECh 0x00000069 js 00007F8F4CECCCE6h 0x0000006f popad 0x00000070 push eax 0x00000071 push ecx 0x00000072 jnl 00007F8F4CECCCECh 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10DFEE4 second address: 10DFEE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E2F1F second address: 10E2F41 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F4CECCCFDh 0x00000008 jnc 00007F8F4CECCCE6h 0x0000000e jmp 00007F8F4CECCCF1h 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10964ED second address: 1096509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F4C50240Ah 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F8F4C502406h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1096509 second address: 1096517 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jne 00007F8F4CECCCE6h 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1096517 second address: 109651C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E0F63 second address: 10E0F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F8F4CECCCEDh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F8F4CECCCECh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E4E57 second address: 10E4E7B instructions: 0x00000000 rdtsc 0x00000002 js 00007F8F4C502406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jl 00007F8F4C502408h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8F4C50240Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E6A30 second address: 10E6A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E6A34 second address: 10E6A38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E6A38 second address: 10E6A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E6A3E second address: 10E6A61 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8F4C502414h 0x00000008 jmp 00007F8F4C50240Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007F8F4C502406h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E6A61 second address: 10E6A67 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E6A67 second address: 10E6A6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E8B63 second address: 10E8B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E8B69 second address: 10E8B7E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F8F4C50240Dh 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E8B7E second address: 10E8B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E8B84 second address: 10E8B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E8B88 second address: 10E8B8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E9F72 second address: 10E9FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 add ebx, 2CD62DE1h 0x0000000f mov bl, dl 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F8F4C502408h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov dword ptr [ebp+1245CB43h], ecx 0x00000033 push ebx 0x00000034 pop ebx 0x00000035 push 00000000h 0x00000037 cld 0x00000038 push eax 0x00000039 push ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F8F4C502411h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EEF88 second address: 10EEF8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EEF8E second address: 10EF013 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F8F4C502408h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 add bx, F260h 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007F8F4C502408h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 00000014h 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 mov di, ax 0x00000047 call 00007F8F4C502414h 0x0000004c mov dword ptr [ebp+122D2986h], ebx 0x00000052 pop edi 0x00000053 push 00000000h 0x00000055 pushad 0x00000056 mov dword ptr [ebp+122D3867h], ebx 0x0000005c mov ah, 9Ah 0x0000005e popad 0x0000005f add dword ptr [ebp+122D2F49h], edx 0x00000065 xchg eax, esi 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 jnp 00007F8F4C502406h 0x0000006f pop eax 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EF013 second address: 10EF018 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EFEC6 second address: 10EFECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EFECD second address: 10EFF41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, ebx 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F8F4CECCCE8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 push edi 0x00000029 mov ebx, eax 0x0000002b pop ebx 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F8F4CECCCE8h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 0000001Ah 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 xchg eax, esi 0x00000049 pushad 0x0000004a push eax 0x0000004b push ebx 0x0000004c pop ebx 0x0000004d pop eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F8F4CECCCEAh 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ED193 second address: 10ED198 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ED198 second address: 10ED20B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8F4CECCCE6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F8F4CECCCE8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov bx, 1CA4h 0x0000002c push dword ptr fs:[00000000h] 0x00000033 mov di, dx 0x00000036 stc 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e call 00007F8F4CECCCEAh 0x00000043 mov dword ptr [ebp+124695F0h], eax 0x00000049 pop ebx 0x0000004a mov eax, dword ptr [ebp+122D14EDh] 0x00000050 xor bx, 16E7h 0x00000055 push FFFFFFFFh 0x00000057 sub dword ptr [ebp+122D363Dh], ebx 0x0000005d mov bx, di 0x00000060 nop 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 push ebx 0x00000065 pop ebx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EE107 second address: 10EE10B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EF220 second address: 10EF23B instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F4CECCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F8F4CECCCEEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ED20B second address: 10ED210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F357F second address: 10F358B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F358B second address: 10F35C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 nop 0x00000007 movzx ebx, cx 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F8F4C502408h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov bx, di 0x0000002b xchg eax, esi 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F35C1 second address: 10F35C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F35C7 second address: 10F35CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F015F second address: 10F018C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8F4CECCCEDh 0x00000008 js 00007F8F4CECCCE6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8F4CECCCF1h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F111C second address: 10F1126 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8F4C502406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F1126 second address: 10F113F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jp 00007F8F4CECCCE6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f js 00007F8F4CECCCF8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F113F second address: 10F1143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F1143 second address: 10F11EC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8F4CECCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F8F4CECCCE8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 jg 00007F8F4CECCCECh 0x0000002b mov dword ptr [ebp+122D373Ah], ebx 0x00000031 push dword ptr fs:[00000000h] 0x00000038 mov edi, 3FC63BB6h 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 mov dword ptr [ebp+122D3759h], eax 0x0000004a mov bh, 80h 0x0000004c mov eax, dword ptr [ebp+122D0599h] 0x00000052 push 00000000h 0x00000054 push eax 0x00000055 call 00007F8F4CECCCE8h 0x0000005a pop eax 0x0000005b mov dword ptr [esp+04h], eax 0x0000005f add dword ptr [esp+04h], 0000001Bh 0x00000067 inc eax 0x00000068 push eax 0x00000069 ret 0x0000006a pop eax 0x0000006b ret 0x0000006c mov di, 2D93h 0x00000070 push FFFFFFFFh 0x00000072 mov dword ptr [ebp+12458D41h], eax 0x00000078 push eax 0x00000079 push eax 0x0000007a push edx 0x0000007b pushad 0x0000007c jmp 00007F8F4CECCCF6h 0x00000081 push esi 0x00000082 pop esi 0x00000083 popad 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F5806 second address: 10F5818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a ja 00007F8F4C502406h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F387C second address: 10F3882 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10FDEFE second address: 10FDF04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10FDF04 second address: 10FDF08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10FDF08 second address: 10FDF0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108DF71 second address: 108DFA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCECh 0x00000007 jl 00007F8F4CECCCF8h 0x0000000d jmp 00007F8F4CECCCF2h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 push eax 0x00000018 pop eax 0x00000019 push edx 0x0000001a pop edx 0x0000001b pop esi 0x0000001c push eax 0x0000001d push edx 0x0000001e jo 00007F8F4CECCCE6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108DFA9 second address: 108DFC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8F4C502411h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108DFC0 second address: 108DFD3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F4CECCCEEh 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007F8F4CECCCE6h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10FD772 second address: 10FD778 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10FD778 second address: 10FD77E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10FD77E second address: 10FD79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F4C502418h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10FD8C8 second address: 10FD8E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F8F4CECCD1Fh 0x0000000b jmp 00007F8F4CECCCEAh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D94FF second address: 10D950C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1102F3F second address: 1102F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1105BAE second address: 1105BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push eax 0x00000007 jne 00007F8F4C50240Eh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jno 00007F8F4C50241Ch 0x00000017 mov eax, dword ptr [eax] 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1105BEA second address: 1105C0E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8F4CECCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007F8F4CECCCF1h 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1109DB7 second address: 1109DDD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8F4C502406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F8F4C502416h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1091554 second address: 109155A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109155A second address: 1091568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F8F4C502406h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1091568 second address: 1091572 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8F4CECCCE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 110FC21 second address: 110FC25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 110FC25 second address: 110FC2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 110FC2B second address: 110FC31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 110FD9A second address: 110FDA9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8F4CECCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 110FDA9 second address: 110FDD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8F4C50240Eh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8F4C502411h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 110FDD3 second address: 110FDD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11101C6 second address: 11101CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 111031D second address: 1110321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1110321 second address: 1110347 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502415h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e jnl 00007F8F4C502406h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 111072E second address: 1110732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1110732 second address: 111073E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 110F883 second address: 110F8C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F4CECCCF2h 0x00000009 jnc 00007F8F4CECCCE6h 0x0000000f popad 0x00000010 jmp 00007F8F4CECCCEBh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F8F4CECCCF1h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 110F8C0 second address: 110F8C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 111604B second address: 1116051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D2765 second address: 10D27EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502412h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jno 00007F8F4C502414h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F8F4C502408h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c or ecx, dword ptr [ebp+122D2CA9h] 0x00000032 lea eax, dword ptr [ebp+124874C6h] 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007F8F4C502408h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 0000001Ch 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 push eax 0x00000053 pushad 0x00000054 push esi 0x00000055 pushad 0x00000056 popad 0x00000057 pop esi 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D27EB second address: 10D27EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D27EF second address: 10D27F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D27F3 second address: 10B62FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F8F4CECCCE8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D3B25h], esi 0x0000002a call dword ptr [ebp+1245CDECh] 0x00000030 jp 00007F8F4CECCD08h 0x00000036 push eax 0x00000037 push edx 0x00000038 push esi 0x00000039 jg 00007F8F4CECCCE6h 0x0000003f pushad 0x00000040 popad 0x00000041 pop esi 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D2DDC second address: 10D2DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D2DE0 second address: 10D2E4B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8F4CECCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 756A5282h 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F8F4CECCCE8h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c and ecx, dword ptr [ebp+122D2EEDh] 0x00000032 sub edi, dword ptr [ebp+122D2D3Dh] 0x00000038 mov cx, dx 0x0000003b call 00007F8F4CECCCE9h 0x00000040 jmp 00007F8F4CECCCF6h 0x00000045 push eax 0x00000046 pushad 0x00000047 jl 00007F8F4CECCCECh 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D2E4B second address: 10D2E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D2E53 second address: 10D2E68 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8F4CECCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D2E68 second address: 10D2E6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D2E6E second address: 10D2E73 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D2F63 second address: 10D2F6D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8F4C502406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D3008 second address: 10D3041 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8F4CECCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xchg eax, esi 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F8F4CECCCE8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov dword ptr [ebp+124695F0h], edx 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 pushad 0x00000031 popad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D3041 second address: 10D3046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D3046 second address: 10D304B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D31CC second address: 10D31DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C50240Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D31DF second address: 10D31F0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8F4CECCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D3895 second address: 10D3899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D3AD0 second address: 10D3AE9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8F4CECCCECh 0x00000008 jnl 00007F8F4CECCCE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D3B84 second address: 10D3C33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F8F4C50240Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ecx 0x0000000f jmp 00007F8F4C50240Ch 0x00000014 pop ecx 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F8F4C502408h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 sub dword ptr [ebp+122D1C89h], edx 0x00000036 mov cx, F2ACh 0x0000003a lea eax, dword ptr [ebp+1248750Ah] 0x00000040 cld 0x00000041 call 00007F8F4C502411h 0x00000046 pop edx 0x00000047 nop 0x00000048 ja 00007F8F4C502413h 0x0000004e push eax 0x0000004f jno 00007F8F4C50240Ah 0x00000055 nop 0x00000056 jmp 00007F8F4C502410h 0x0000005b lea eax, dword ptr [ebp+124874C6h] 0x00000061 movsx ecx, bx 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 jo 00007F8F4C502406h 0x0000006e pop eax 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D3C33 second address: 10B6F61 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8F4CECCCE8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ecx, 46D66369h 0x00000014 call dword ptr [ebp+122D3619h] 0x0000001a jl 00007F8F4CECCCF8h 0x00000020 push esi 0x00000021 jbe 00007F8F4CECCCE6h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11151EA second address: 11151EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11151EE second address: 11151F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11151F2 second address: 1115208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F4C502410h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1115359 second address: 1115364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8F4CECCCE6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1115364 second address: 111536A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11154D2 second address: 11154D9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11154D9 second address: 11154FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop eax 0x0000000d jbe 00007F8F4C502418h 0x00000013 jmp 00007F8F4C502412h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1121DA3 second address: 1121DD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8F4CECCCF1h 0x00000008 jmp 00007F8F4CECCCF6h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F8F4CECCCE6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1121DD8 second address: 1121DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1121DDC second address: 1121DE2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1121F01 second address: 1121F47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jno 00007F8F4C502406h 0x0000000d jmp 00007F8F4C502419h 0x00000012 pop eax 0x00000013 pop edx 0x00000014 push ecx 0x00000015 jmp 00007F8F4C502415h 0x0000001a ja 00007F8F4C502420h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1122353 second address: 112237D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jmp 00007F8F4CECCCF3h 0x0000000c jp 00007F8F4CECCCE6h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 112237D second address: 1122381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1122605 second address: 112260B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 112260B second address: 1122611 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11228FE second address: 112290F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F4CECCCEAh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1122C06 second address: 1122C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 jmp 00007F8F4C502416h 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1122C28 second address: 1122C37 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8F4CECCCE8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1126ECA second address: 1126ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1126ECE second address: 1126ED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1126ED2 second address: 1126EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F8F4C502406h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11267EE second address: 11267F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11267F4 second address: 11267FE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11267FE second address: 1126802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1126BDC second address: 1126C04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502410h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F8F4C50240Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1126C04 second address: 1126C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1129155 second address: 112915B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 112915B second address: 112915F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 112915F second address: 1129163 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 112D3A2 second address: 112D3AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1094B02 second address: 1094B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1094B06 second address: 1094B0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11321E2 second address: 11321E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11324F6 second address: 11324FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11324FA second address: 1132512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push edi 0x00000009 jmp 00007F8F4C50240Bh 0x0000000e pop edi 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D354B second address: 10D3551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D35EF second address: 10D360A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8F4C502408h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F8F4C50240Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D360A second address: 10D360F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D35EB second address: 10D35EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1136D23 second address: 1136D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1136D29 second address: 1136D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1136D2E second address: 1136D64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF7h 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8F4CECCCECh 0x00000017 jnl 00007F8F4CECCCE6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1136D64 second address: 1136D6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1136EE6 second address: 1136EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jnp 00007F8F4CECCCE6h 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113705B second address: 1137076 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C50240Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F8F4C502406h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1137076 second address: 1137080 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1137080 second address: 1137084 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1137084 second address: 113708A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113732A second address: 1137333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1137333 second address: 1137337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113E435 second address: 113E43B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113E9CA second address: 113E9EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F4CECCCF8h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113E9EA second address: 113E9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113E9EF second address: 113EA11 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8F4CECCD04h 0x00000008 jmp 00007F8F4CECCCF8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113ECD9 second address: 113ECE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113F204 second address: 113F211 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F8F4CECCCE6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113FD74 second address: 113FD90 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F8F4C502406h 0x0000000d pushad 0x0000000e popad 0x0000000f jng 00007F8F4C502406h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113FD90 second address: 113FD94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1144839 second address: 1144843 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8F4C502406h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1144843 second address: 1144861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8F4CECCCF5h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1144861 second address: 1144868 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1144868 second address: 114487D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 jmp 00007F8F4CECCCEDh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1144996 second address: 11449B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F8F4C502414h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1144B1A second address: 1144B20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1144B20 second address: 1144B2C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1144CAD second address: 1144CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnp 00007F8F4CECCCEAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1152389 second address: 11523A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8F4C502411h 0x0000000e push eax 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11523A7 second address: 11523C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11523C4 second address: 11523C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1150BFF second address: 1150C2F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8F4CECCCEEh 0x00000008 jnl 00007F8F4CECCCFAh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1150C2F second address: 1150C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1150C35 second address: 1150C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1150F18 second address: 1150F30 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8F4C502412h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1150F30 second address: 1150F34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11510A5 second address: 11510A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11510A9 second address: 11510AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11510AF second address: 11510B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11510B5 second address: 11510D9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8F4CECCCF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1151257 second address: 1151268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F4C50240Ch 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1151A2D second address: 1151A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11521BE second address: 11521C8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11521C8 second address: 11521CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11521CC second address: 11521ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jnp 00007F8F4C502406h 0x0000000f pop edx 0x00000010 popad 0x00000011 pushad 0x00000012 jp 00007F8F4C50240Ch 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114FF65 second address: 114FF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11596FA second address: 1159706 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnl 00007F8F4C502406h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164BF5 second address: 1164BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164BF9 second address: 1164C0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C50240Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164C0D second address: 1164C13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164C13 second address: 1164C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164C17 second address: 1164C24 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F4CECCCE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164C24 second address: 1164C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jne 00007F8F4C502406h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164C39 second address: 1164C51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F8F4CECCCF0h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1169235 second address: 1169239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1169239 second address: 1169241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1168E55 second address: 1168E61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F8F4C502406h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118545A second address: 1185466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8F4CECCCE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1185466 second address: 118546B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118572C second address: 1185745 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F4CECCCE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F8F4CECCCEDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1185745 second address: 1185762 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F8F4C502418h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118589D second address: 11858A3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11858A3 second address: 11858A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119E60A second address: 119E632 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F8F4CECCD0Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8F4CECCCEAh 0x00000015 jmp 00007F8F4CECCCEEh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1093008 second address: 1093012 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8F4C502406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1093012 second address: 1093017 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A00DE second address: 11A010A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F4C502417h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8F4C50240Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AC977 second address: 11AC97B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AC97B second address: 11AC986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AEB1A second address: 11AEB25 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F8F4CECCCE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C8E1A second address: 11C8E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C8E1F second address: 11C8E29 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8F4CECCCECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C7DD1 second address: 11C7DEA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8F4C50240Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C806F second address: 11C8075 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C84A8 second address: 11C84C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F8F4C502413h 0x0000000b jbe 00007F8F4C502406h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C84C8 second address: 11C84D2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8F4CECCCECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C8628 second address: 11C8630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C8630 second address: 11C8639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C8639 second address: 11C863F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C863F second address: 11C8643 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C8924 second address: 11C894D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F8F4C502406h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F8F4C502418h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C894D second address: 11C895B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108FA3D second address: 108FA41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108FA41 second address: 108FA85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F8F4CECCCF2h 0x0000000c pop ecx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 pop edx 0x0000001a jmp 00007F8F4CECCCF6h 0x0000001f push eax 0x00000020 push edx 0x00000021 jl 00007F8F4CECCCE6h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CCF56 second address: 11CCF70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502412h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CCF70 second address: 11CCF74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CD514 second address: 11CD521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CD521 second address: 11CD57A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jno 00007F8F4CECCCE6h 0x0000000c pop edx 0x0000000d popad 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F8F4CECCCE8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 sub dword ptr [ebp+122D1C89h], ebx 0x0000002f push dword ptr [ebp+122D27A0h] 0x00000035 mov dword ptr [ebp+12450DC4h], esi 0x0000003b call 00007F8F4CECCCE9h 0x00000040 jp 00007F8F4CECCCF8h 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F8F4CECCCEAh 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CD57A second address: 11CD5A7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 je 00007F8F4C50241Eh 0x0000000d ja 00007F8F4C502418h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push ebx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CF07E second address: 11CF084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CF084 second address: 11CF08A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CEC60 second address: 11CEC64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 527025E second address: 52702D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8F4C502410h 0x00000009 and cx, B3E8h 0x0000000e jmp 00007F8F4C50240Bh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F8F4C502418h 0x0000001a adc ah, 00000048h 0x0000001d jmp 00007F8F4C50240Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 mov ebp, esp 0x00000028 pushad 0x00000029 mov dx, ax 0x0000002c mov ebx, esi 0x0000002e popad 0x0000002f pop ebp 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F8F4C502419h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5250E8E second address: 5250E94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5250E94 second address: 5250E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5250E98 second address: 5250EB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5250EB0 second address: 5250EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5250EB4 second address: 5250EDB instructions: 0x00000000 rdtsc 0x00000002 mov ax, D959h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dx, ax 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8F4CECCCF7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5250EDB second address: 5250F02 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 53CD2FDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a mov ecx, edi 0x0000000c popad 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov ebx, 2DF0505Ch 0x00000015 mov ax, di 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F8F4C50240Ah 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5250F02 second address: 5250F2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f call 00007F8F4CECCCF1h 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0027 second address: 52A002B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A002B second address: 52A0031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0031 second address: 52A009F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8F4C50240Ch 0x00000008 pop esi 0x00000009 mov bh, C1h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F8F4C50240Dh 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 jmp 00007F8F4C50240Ch 0x0000001b push ecx 0x0000001c pushad 0x0000001d popad 0x0000001e pop edx 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F8F4C50240Fh 0x0000002b add si, BF1Eh 0x00000030 jmp 00007F8F4C502419h 0x00000035 popfd 0x00000036 movzx ecx, dx 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A009F second address: 52A00A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A00A5 second address: 52A00A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A00A9 second address: 52A00AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A00AD second address: 52A00C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8F4C50240Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A00C4 second address: 52A00D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52300E0 second address: 52300E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52300E5 second address: 523013A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8F4CECCCF6h 0x0000000f push eax 0x00000010 jmp 00007F8F4CECCCEBh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F8F4CECCCF6h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 523013A second address: 5230140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230140 second address: 5230144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230144 second address: 5230148 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230148 second address: 52301BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F8F4CECCCF3h 0x00000012 jmp 00007F8F4CECCCF3h 0x00000017 popfd 0x00000018 pushfd 0x00000019 jmp 00007F8F4CECCCF8h 0x0000001e adc cx, 39C8h 0x00000023 jmp 00007F8F4CECCCEBh 0x00000028 popfd 0x00000029 popad 0x0000002a push dword ptr [ebp+0Ch] 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F8F4CECCCF0h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52301BE second address: 52301C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52301C4 second address: 52301DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52301DF second address: 52301E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52301E5 second address: 52301EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52301EB second address: 52301EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52507CD second address: 52507D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52507D3 second address: 52507F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C50240Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, di 0x00000012 mov edx, 478D0DF2h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52507F1 second address: 52507F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52507F7 second address: 52507FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52507FB second address: 5250836 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F8F4CECCCEDh 0x00000015 jmp 00007F8F4CECCCF0h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5250836 second address: 5250848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F4C50240Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5250848 second address: 525084C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 525084C second address: 525085E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movzx ecx, di 0x0000000f mov dl, 4Dh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5250690 second address: 5250695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5250695 second address: 52506A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F4C50240Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52506A8 second address: 52506CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52506CD second address: 52506EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F8F4C502419h 0x00000009 pop ecx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52506EC second address: 5250741 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F8F4CECCCF1h 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 jmp 00007F8F4CECCCF6h 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e call 00007F8F4CECCCEDh 0x00000023 pop esi 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5250399 second address: 52503F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8F4C50240Bh 0x00000009 or al, FFFFFFBEh 0x0000000c jmp 00007F8F4C502419h 0x00000011 popfd 0x00000012 push eax 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F8F4C502416h 0x00000021 or ax, 18E8h 0x00000026 jmp 00007F8F4C50240Bh 0x0000002b popfd 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52503F6 second address: 5250490 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007F8F4CECCCF5h 0x0000000c call 00007F8F4CECCCF0h 0x00000011 pop eax 0x00000012 pop ebx 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 pushad 0x00000017 movsx ebx, si 0x0000001a pushfd 0x0000001b jmp 00007F8F4CECCCF6h 0x00000020 jmp 00007F8F4CECCCF5h 0x00000025 popfd 0x00000026 popad 0x00000027 movzx eax, di 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c jmp 00007F8F4CECCCF3h 0x00000031 mov ebp, esp 0x00000033 jmp 00007F8F4CECCCF6h 0x00000038 pop ebp 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5250490 second address: 52504AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502419h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52504AD second address: 52504B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52504B3 second address: 52504B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 526022A second address: 5260239 instructions: 0x00000000 rdtsc 0x00000002 movsx edi, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5260239 second address: 526023D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 526023D second address: 5260243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5260243 second address: 5260249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5260249 second address: 52602C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov edx, eax 0x0000000f pushfd 0x00000010 jmp 00007F8F4CECCCF0h 0x00000015 jmp 00007F8F4CECCCF5h 0x0000001a popfd 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e jmp 00007F8F4CECCCEEh 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F8F4CECCCEDh 0x0000002d or ax, 2466h 0x00000032 jmp 00007F8F4CECCCF1h 0x00000037 popfd 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52602C1 second address: 52602C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290E0D second address: 5290E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290E11 second address: 5290E28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502413h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52705B9 second address: 52705BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52705BF second address: 52705FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C50240Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F8F4C502412h 0x00000014 xor esi, 15E4DB58h 0x0000001a jmp 00007F8F4C50240Bh 0x0000001f popfd 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52705FA second address: 5270652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8F4CECCCF6h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d mov ebx, 412AA564h 0x00000012 movsx ebx, cx 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F8F4CECCCF1h 0x00000020 sbb ecx, 59953056h 0x00000026 jmp 00007F8F4CECCCF1h 0x0000002b popfd 0x0000002c pushad 0x0000002d popad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5270652 second address: 5270660 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F4C50240Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5270660 second address: 5270664 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5270664 second address: 527069F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F8F4C502417h 0x0000000f mov eax, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8F4C502415h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 527069F second address: 52706A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52706A5 second address: 52706F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502413h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and dword ptr [eax], 00000000h 0x0000000e jmp 00007F8F4C502416h 0x00000013 and dword ptr [eax+04h], 00000000h 0x00000017 pushad 0x00000018 jmp 00007F8F4C50240Eh 0x0000001d movzx eax, di 0x00000020 popad 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52706F5 second address: 52706F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52706F9 second address: 52706FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52706FD second address: 5270703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5250580 second address: 52505F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C50240Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx eax, dx 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F8F4C502418h 0x00000017 add ah, 00000068h 0x0000001a jmp 00007F8F4C50240Bh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007F8F4C502418h 0x00000026 or ax, A7C8h 0x0000002b jmp 00007F8F4C50240Bh 0x00000030 popfd 0x00000031 popad 0x00000032 xchg eax, ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52505F1 second address: 52505F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52505F5 second address: 52505FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52505FB second address: 5250628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8F4CECCCF8h 0x00000009 sub ah, 00000058h 0x0000000c jmp 00007F8F4CECCCEBh 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 527018E second address: 5270194 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5270194 second address: 5270198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5270198 second address: 52701D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F8F4C502417h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8F4C502415h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52703CD second address: 52703D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52703D1 second address: 52703D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52703D7 second address: 5270413 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8F4CECCCF0h 0x0000000f push eax 0x00000010 jmp 00007F8F4CECCCEBh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5270413 second address: 527042E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502417h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 527042E second address: 527047D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, bl 0x00000005 pushfd 0x00000006 jmp 00007F8F4CECCCF0h 0x0000000b adc eax, 1F79F068h 0x00000011 jmp 00007F8F4CECCCEBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c jmp 00007F8F4CECCCF6h 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov ecx, edi 0x00000027 mov edx, 62348D0Ch 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290600 second address: 5290625 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502419h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290625 second address: 529062A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 529062A second address: 5290660 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502415h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8F4C502418h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290660 second address: 529066F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 529066F second address: 52906B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502419h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F8F4C50240Eh 0x00000010 xchg eax, ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F8F4C502417h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52906B6 second address: 5290702 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, C8h 0x00000005 mov ecx, 205CCA87h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F8F4CECCCF6h 0x00000016 pushfd 0x00000017 jmp 00007F8F4CECCCF2h 0x0000001c and si, 9E98h 0x00000021 jmp 00007F8F4CECCCEBh 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290702 second address: 5290786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502419h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F8F4C50240Eh 0x0000000f mov eax, dword ptr [76FA65FCh] 0x00000014 jmp 00007F8F4C502410h 0x00000019 test eax, eax 0x0000001b pushad 0x0000001c call 00007F8F4C50240Eh 0x00000021 mov ch, 04h 0x00000023 pop edi 0x00000024 jmp 00007F8F4C50240Ch 0x00000029 popad 0x0000002a je 00007F8FBE195608h 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 mov dl, 7Bh 0x00000035 jmp 00007F8F4C502416h 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290786 second address: 52907F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 pushfd 0x00000007 jmp 00007F8F4CECCCEDh 0x0000000c sbb eax, 55016306h 0x00000012 jmp 00007F8F4CECCCF1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ecx, eax 0x0000001d jmp 00007F8F4CECCCEEh 0x00000022 xor eax, dword ptr [ebp+08h] 0x00000025 jmp 00007F8F4CECCCF1h 0x0000002a and ecx, 1Fh 0x0000002d jmp 00007F8F4CECCCEEh 0x00000032 ror eax, cl 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52907F2 second address: 529080F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502419h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 529080F second address: 529081F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F4CECCCECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 529081F second address: 5290834 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8F4C50240Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290834 second address: 5290846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F4CECCCEEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290846 second address: 529084A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290913 second address: 5290919 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290919 second address: 529091D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 529091D second address: 5290956 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov eax, edx 0x0000000f movsx ebx, cx 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 pushad 0x00000015 mov ax, A17Fh 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F8F4CECCCF3h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290956 second address: 529095A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 529095A second address: 5290960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240022 second address: 524008A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8F4C502417h 0x00000009 adc al, FFFFFFDEh 0x0000000c jmp 00007F8F4C502419h 0x00000011 popfd 0x00000012 jmp 00007F8F4C502410h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c mov cl, EAh 0x0000001e movsx edi, si 0x00000021 popad 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F8F4C502411h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 524008A second address: 52400CA instructions: 0x00000000 rdtsc 0x00000002 mov ah, 56h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edx, 4661A950h 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e mov eax, edi 0x00000010 pushfd 0x00000011 jmp 00007F8F4CECCCF1h 0x00000016 adc cl, FFFFFFD6h 0x00000019 jmp 00007F8F4CECCCF1h 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52400CA second address: 52400CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52400CE second address: 52400E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52400E1 second address: 5240144 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F8F4C50240Ah 0x00000015 add ax, 2A58h 0x0000001a jmp 00007F8F4C50240Bh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007F8F4C502418h 0x00000026 and eax, 3022B4B8h 0x0000002c jmp 00007F8F4C50240Bh 0x00000031 popfd 0x00000032 popad 0x00000033 xchg eax, ecx 0x00000034 pushad 0x00000035 mov dx, cx 0x00000038 push eax 0x00000039 push edx 0x0000003a mov eax, 2E809D3Dh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240144 second address: 524015E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8F4CECCCF0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 524015E second address: 5240162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240162 second address: 5240168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240168 second address: 524016E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 524016E second address: 5240172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 524022E second address: 5240272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8F4C50240Bh 0x00000009 or eax, 1E381B6Eh 0x0000000f jmp 00007F8F4C502419h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, esi 0x00000019 pushad 0x0000001a mov si, F193h 0x0000001e push eax 0x0000001f pop ecx 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push edx 0x00000026 pop esi 0x00000027 mov cl, bh 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240272 second address: 52402CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F8F4CECCCF6h 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 jmp 00007F8F4CECCCF0h 0x00000017 xchg eax, edi 0x00000018 jmp 00007F8F4CECCCF0h 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F8F4CECCCEDh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52402CE second address: 52402D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52402D2 second address: 52402D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52402D8 second address: 5240302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C50240Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8F4C502417h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240302 second address: 5240388 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F8F4CECCCEEh 0x00000010 je 00007F8FBEBAAFCCh 0x00000016 pushad 0x00000017 mov cl, 73h 0x00000019 call 00007F8F4CECCCF3h 0x0000001e pop ecx 0x0000001f popad 0x00000020 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000027 pushad 0x00000028 mov ebx, 7EA41A04h 0x0000002d mov edx, 7C4AD270h 0x00000032 popad 0x00000033 je 00007F8FBEBAAFB1h 0x00000039 pushad 0x0000003a jmp 00007F8F4CECCCF5h 0x0000003f mov ah, EBh 0x00000041 popad 0x00000042 mov edx, dword ptr [esi+44h] 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240388 second address: 524038C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 524038C second address: 52403A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52403A0 second address: 52403F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8F4C502411h 0x00000008 pop esi 0x00000009 call 00007F8F4C502411h 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 or edx, dword ptr [ebp+0Ch] 0x00000015 pushad 0x00000016 mov cx, di 0x00000019 popad 0x0000001a test edx, 61000000h 0x00000020 pushad 0x00000021 movsx ebx, cx 0x00000024 movzx eax, dx 0x00000027 popad 0x00000028 jne 00007F8FBE1E06AEh 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F8F4C502410h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52403F8 second address: 5240425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, CDh 0x00000005 pushfd 0x00000006 jmp 00007F8F4CECCCEAh 0x0000000b sbb ecx, 7EC1E438h 0x00000011 jmp 00007F8F4CECCCEBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test byte ptr [esi+48h], 00000001h 0x0000001e pushad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240425 second address: 524045D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F8F4C502410h 0x0000000a add esi, 53C3DE98h 0x00000010 jmp 00007F8F4C50240Bh 0x00000015 popfd 0x00000016 popad 0x00000017 mov dx, cx 0x0000001a popad 0x0000001b jne 00007F8FBE1E0656h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 524045D second address: 5240461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240461 second address: 5240467 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240467 second address: 5240480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F4CECCCF5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240480 second address: 52404A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502411h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test bl, 00000007h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov cx, di 0x00000014 movsx edx, cx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52404A4 second address: 52404AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52404AA second address: 52404AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230793 second address: 5230797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230797 second address: 523079D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 523079D second address: 52307A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52307A3 second address: 52307E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502418h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F8F4C50240Bh 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F8F4C502410h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52307E2 second address: 52307F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52307F1 second address: 523086D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F8F4C50240Ch 0x00000012 and esp, FFFFFFF8h 0x00000015 jmp 00007F8F4C502410h 0x0000001a xchg eax, ebx 0x0000001b jmp 00007F8F4C502410h 0x00000020 push eax 0x00000021 pushad 0x00000022 jmp 00007F8F4C502411h 0x00000027 popad 0x00000028 xchg eax, ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c push esi 0x0000002d pop edi 0x0000002e pushfd 0x0000002f jmp 00007F8F4C502412h 0x00000034 adc si, 27D8h 0x00000039 jmp 00007F8F4C50240Bh 0x0000003e popfd 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 523086D second address: 523094C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F8F4CECCCEEh 0x0000000f push eax 0x00000010 jmp 00007F8F4CECCCEBh 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F8F4CECCCF4h 0x0000001d sub esi, 76402BC8h 0x00000023 jmp 00007F8F4CECCCEBh 0x00000028 popfd 0x00000029 mov ax, 2D3Fh 0x0000002d popad 0x0000002e mov esi, dword ptr [ebp+08h] 0x00000031 jmp 00007F8F4CECCCF2h 0x00000036 sub ebx, ebx 0x00000038 pushad 0x00000039 mov si, di 0x0000003c mov bh, DAh 0x0000003e popad 0x0000003f test esi, esi 0x00000041 jmp 00007F8F4CECCCF2h 0x00000046 je 00007F8FBEBB276Fh 0x0000004c jmp 00007F8F4CECCCF0h 0x00000051 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b pushfd 0x0000005c jmp 00007F8F4CECCCEDh 0x00000061 or esi, 7A7017A6h 0x00000067 jmp 00007F8F4CECCCF1h 0x0000006c popfd 0x0000006d popad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 523094C second address: 5230952 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230952 second address: 5230956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230956 second address: 5230994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ecx, 35D56563h 0x00000012 pushfd 0x00000013 jmp 00007F8F4C502418h 0x00000018 sbb ecx, 42A817A8h 0x0000001e jmp 00007F8F4C50240Bh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230994 second address: 52309F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F8FBEBB26EBh 0x00000010 pushad 0x00000011 mov di, 0CF0h 0x00000015 pushfd 0x00000016 jmp 00007F8F4CECCCF9h 0x0000001b and ax, 6A76h 0x00000020 jmp 00007F8F4CECCCF1h 0x00000025 popfd 0x00000026 popad 0x00000027 test byte ptr [76FA6968h], 00000002h 0x0000002e pushad 0x0000002f mov edx, esi 0x00000031 mov dl, ch 0x00000033 popad 0x00000034 jne 00007F8FBEBB26B4h 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d movzx ecx, di 0x00000040 mov bh, 30h 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52309F7 second address: 52309FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52309FD second address: 5230A01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230A01 second address: 5230A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b jmp 00007F8F4C502419h 0x00000010 xchg eax, ebx 0x00000011 jmp 00007F8F4C50240Eh 0x00000016 push eax 0x00000017 jmp 00007F8F4C50240Bh 0x0000001c xchg eax, ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F8F4C502410h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230A55 second address: 5230A5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230A5B second address: 5230A90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C50240Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F8F4C502410h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8F4C50240Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230A90 second address: 5230AA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230AA5 second address: 5230AD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502411h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F8F4C50240Eh 0x0000000f push dword ptr [ebp+14h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230AD2 second address: 5230AD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230AD6 second address: 5230ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230B33 second address: 5230B43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F4CECCCECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240D92 second address: 5240D98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240D98 second address: 5240DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F8F4CECCCF4h 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 pushad 0x00000013 mov edi, eax 0x00000015 movzx ecx, bx 0x00000018 popad 0x00000019 pushfd 0x0000001a jmp 00007F8F4CECCCF5h 0x0000001f add eax, 2F9A12C6h 0x00000025 jmp 00007F8F4CECCCF1h 0x0000002a popfd 0x0000002b popad 0x0000002c mov ebp, esp 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240DF7 second address: 5240DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240DFB second address: 5240DFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240DFF second address: 5240E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240E05 second address: 5240E0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240E0B second address: 5240E0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5240B49 second address: 5240B58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0763 second address: 52C0772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F4C50240Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0A29 second address: 52B0A40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0A40 second address: 52B0A77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8F4C50240Fh 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F8F4C502412h 0x00000014 mov dword ptr [esp], ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov bx, C080h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0A77 second address: 52B0A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0A7C second address: 52B0A82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0A82 second address: 52B0A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0A86 second address: 52B0A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0CF3 second address: 52B0D5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F8F4CECCCF1h 0x00000011 jmp 00007F8F4CECCCEBh 0x00000016 popfd 0x00000017 mov ax, 041Fh 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d jmp 00007F8F4CECCCF2h 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F8F4CECCCF7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0D5C second address: 52B0D62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0D62 second address: 52B0DBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4CECCCEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+0Ch] 0x0000000e jmp 00007F8F4CECCCF6h 0x00000013 push dword ptr [ebp+08h] 0x00000016 pushad 0x00000017 jmp 00007F8F4CECCCEEh 0x0000001c push ecx 0x0000001d mov cl, dl 0x0000001f pop ecx 0x00000020 popad 0x00000021 push 40227F92h 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F8F4CECCCF5h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0DBF second address: 52B0DEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C502411h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 40237F90h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8F4C50240Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0DEA second address: 52B0DFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F4CECCCECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0E28 second address: 52B0E8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8F4C502417h 0x00000008 pop eax 0x00000009 mov ecx, edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e movzx eax, al 0x00000011 pushad 0x00000012 call 00007F8F4C502411h 0x00000017 pushfd 0x00000018 jmp 00007F8F4C502410h 0x0000001d jmp 00007F8F4C502415h 0x00000022 popfd 0x00000023 pop esi 0x00000024 popad 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0E8D second address: 52B0E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0E91 second address: 52B0EA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F4C50240Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: F1EC95 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 10D2900 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 115FDF0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 72EC95 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 8E2900 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 96FDF0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Special instruction interceptor: First address: 497A58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Special instruction interceptor: First address: 63B551 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Special instruction interceptor: First address: 639F56 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Special instruction interceptor: First address: 6C593B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Special instruction interceptor: First address: C9FAF0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Special instruction interceptor: First address: C9FBB0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Special instruction interceptor: First address: C9D53E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Special instruction interceptor: First address: ED23F7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Special instruction interceptor: First address: 19DEB7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Special instruction interceptor: First address: 36C604 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Special instruction interceptor: First address: 3478FE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Special instruction interceptor: First address: 3DAA39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Special instruction interceptor: First address: 1A3BEA instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Memory allocated: 4A90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Memory allocated: 4CF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Memory allocated: 4B20000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_052B0CC2 rdtsc 0_2_052B0CC2
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1011 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1136 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1113 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1131 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1147 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1164 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1108 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window / User API: threadDelayed 1269
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window / User API: threadDelayed 1005
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window / User API: threadDelayed 1260
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window / User API: threadDelayed 1252
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window / User API: threadDelayed 1219
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window / User API: threadDelayed 1268
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window / User API: threadDelayed 1260
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Window / User API: threadDelayed 1259
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window / User API: threadDelayed 1157
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window / User API: threadDelayed 1155
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window / User API: threadDelayed 1156
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window / User API: threadDelayed 364
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window / User API: threadDelayed 1183
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window / User API: threadDelayed 1127
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window / User API: threadDelayed 1187
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Window / User API: threadDelayed 1185
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019603001\d0c6b9d6b8.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[3].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019602001\647da3efc5.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019601001\a53907268b.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1019604001\0c0e50df68.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5328 Thread sleep count: 1011 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5328 Thread sleep time: -2023011s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3276 Thread sleep count: 1136 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3276 Thread sleep time: -2273136s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6108 Thread sleep count: 272 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6108 Thread sleep time: -8160000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3732 Thread sleep count: 1113 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3732 Thread sleep time: -2227113s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4676 Thread sleep count: 1131 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4676 Thread sleep time: -2263131s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3056 Thread sleep count: 1147 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3056 Thread sleep time: -2295147s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5752 Thread sleep count: 1164 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5752 Thread sleep time: -2329164s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4140 Thread sleep count: 1108 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4140 Thread sleep time: -2217108s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe TID: 5376 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe TID: 6104 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com TID: 5860 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com TID: 5860 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe TID: 8700 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe TID: 8708 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe TID: 6388 Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 4856 Thread sleep count: 1269 > 30
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 4856 Thread sleep time: -2539269s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 4480 Thread sleep count: 1005 > 30
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 4480 Thread sleep time: -2011005s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 5396 Thread sleep count: 1260 > 30
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 5396 Thread sleep time: -2521260s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 6668 Thread sleep time: -44000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 2136 Thread sleep count: 1252 > 30
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 2136 Thread sleep time: -2505252s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 2696 Thread sleep time: -210000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 3648 Thread sleep count: 1219 > 30
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 3648 Thread sleep time: -2439219s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 6576 Thread sleep count: 1268 > 30
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 6576 Thread sleep time: -2537268s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 3628 Thread sleep count: 1260 > 30
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 3628 Thread sleep time: -2521260s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 616 Thread sleep count: 1259 > 30
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe TID: 616 Thread sleep time: -2519259s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 6680 Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 6680 Thread sleep time: -76038s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 980 Thread sleep time: -52026s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 2952 Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 2952 Thread sleep time: -64032s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 6408 Thread sleep time: -44000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 940 Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 940 Thread sleep time: -66033s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 6476 Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 6476 Thread sleep time: -70035s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 6492 Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 6492 Thread sleep time: -76038s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 6560 Thread sleep time: -60030s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe TID: 1452 Thread sleep count: 62 > 30
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe TID: 1452 Thread sleep count: 84 > 30
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 6752 Thread sleep count: 1157 > 30
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 6752 Thread sleep time: -2315157s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 4632 Thread sleep count: 1155 > 30
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 4632 Thread sleep time: -2311155s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 3952 Thread sleep count: 1156 > 30
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 3952 Thread sleep time: -2313156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 3204 Thread sleep count: 364 > 30
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 3204 Thread sleep time: -2184000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 3340 Thread sleep count: 1183 > 30
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 3340 Thread sleep time: -2367183s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 2812 Thread sleep count: 1127 > 30
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 2812 Thread sleep time: -2255127s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 3792 Thread sleep count: 1187 > 30
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 3792 Thread sleep time: -2375187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 3528 Thread sleep count: 1185 > 30
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe TID: 3528 Thread sleep time: -2371185s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe TID: 4740 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe TID: 1360 Thread sleep count: 88 > 30
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe TID: 1360 Thread sleep count: 85 > 30
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_00386304 FindFirstFileExW, 7_2_00386304
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_003863B5 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 7_2_003863B5
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00386304 FindFirstFileExW, 9_2_00386304
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_003863B5 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 9_2_003863B5
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\370821
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\370821\
Source: skotes.exe, skotes.exe, 00000003.00000002.2137648601.00000000008B7000.00000040.00000001.01000000.00000007.sdmp, 9f6ea82062.exe, 00000020.00000002.3948146191.0000000000E2B000.00000040.00000001.01000000.00000012.sdmp, 9f6ea82062.exe, 00000020.00000000.3269607750.0000000000E2B000.00000080.00000001.01000000.00000012.sdmp, 9f6ea82062.exe, 00000024.00000002.4211726440.0000000000E2B000.00000040.00000001.01000000.00000012.sdmp, 9f6ea82062.exe, 00000024.00000000.3409375402.0000000000E2B000.00000080.00000001.01000000.00000012.sdmp, 5936bfa4af.exe, 0000002C.00000002.3629094754.0000000000321000.00000040.00000001.01000000.00000016.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 17ce3a84e4.exe, 0000001B.00000002.4522542200.00000000014BC000.00000004.00000020.00020000.00000000.sdmp, 17ce3a84e4.exe, 0000001B.00000003.4488835946.00000000014BC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: 51ecf08926.exe, 00000021.00000003.3386520776.00000000016DF000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3373835811.00000000016DF000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3360279867.00000000016DF000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3402212541.00000000016DF000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3535624044.00000000016DF000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3527139592.00000000016DF000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3396211918.00000000016DF000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3405370218.00000000016DA000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3375586091.00000000016DF000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3385560100.00000000016DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWPc:_
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 9f6ea82062.exe, 00000020.00000002.4054758953.000000000B881000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: 580c9354ec.exe, 0000001F.00000003.3535882043.0000000005A75000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: EUCyhuW.exe, 00000009.00000003.2887885665.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.3093424754.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2804303481.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000002.3137952445.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.3100957478.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2914135153.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000002.3138117875.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.3093424754.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2887459258.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2913252442.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, 17ce3a84e4.exe, 0000001B.00000003.4498901768.00000000014E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 9f6ea82062.exe, 00000020.00000002.4054758953.000000000B881000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: 9f6ea82062.exe, 00000020.00000002.4054758953.000000000B881000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 51ecf08926.exe, 00000021.00000002.3625843163.00000000016B6000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3593117120.00000000016A1000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3592281547.000000000169C000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3589272838.0000000001693000.00000004.00000020.00020000.00000000.sdmp, 51ecf08926.exe, 00000021.00000003.3596659488.00000000016B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW$
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.0000000000994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWxV
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 9f6ea82062.exe, 00000020.00000002.4054758953.000000000B881000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 17ce3a84e4.exe, 0000001B.00000003.4498901768.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, 17ce3a84e4.exe, 0000001B.00000002.4524131042.00000000014E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWQ
Source: 580c9354ec.exe, 0000001F.00000003.3535882043.0000000005A75000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: 9f6ea82062.exe, 00000024.00000002.4260064567.0000000001665000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW+`
Source: 9f6ea82062.exe, 00000024.00000002.4260064567.00000000015FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2109012828.00000000010A7000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2139636636.00000000008B7000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2137648601.00000000008B7000.00000040.00000001.01000000.00000007.sdmp, 9f6ea82062.exe, 00000020.00000002.3948146191.0000000000E2B000.00000040.00000001.01000000.00000012.sdmp, 9f6ea82062.exe, 00000024.00000002.4211726440.0000000000E2B000.00000040.00000001.01000000.00000012.sdmp, 5936bfa4af.exe, 0000002C.00000002.3629094754.0000000000321000.00000040.00000001.01000000.00000016.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 9f6ea82062.exe, 00000020.00000002.3929798314.00000000009C1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWA
Source: 9f6ea82062.exe, 00000020.00000000.3269607750.0000000000E2B000.00000080.00000001.01000000.00000012.sdmp, 9f6ea82062.exe, 00000024.00000000.3409375402.0000000000E2B000.00000080.00000001.01000000.00000012.sdmp Binary or memory string: \\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 580c9354ec.exe, 0000001F.00000003.3543466891.0000000005A01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe System information queried: CodeIntegrityInformation
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe File opened: SIWVID
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe System information queried: KernelDebuggerInformation
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_052B0CC2 rdtsc 0_2_052B0CC2
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0043AAB0 LdrInitializeThunk, 9_2_0043AAB0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_00374073 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00374073
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EE652B mov eax, dword ptr fs:[00000030h] 0_2_00EE652B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EEA302 mov eax, dword ptr fs:[00000030h] 0_2_00EEA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_006FA302 mov eax, dword ptr fs:[00000030h] 2_2_006FA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_006F652B mov eax, dword ptr fs:[00000030h] 2_2_006F652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_006FA302 mov eax, dword ptr fs:[00000030h] 3_2_006FA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_006F652B mov eax, dword ptr fs:[00000030h] 3_2_006F652B
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_0039C19E mov edi, dword ptr fs:[00000030h] 7_2_0039C19E
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_003616A0 mov edi, dword ptr fs:[00000030h] 7_2_003616A0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_003616A0 mov edi, dword ptr fs:[00000030h] 9_2_003616A0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_00381DBC GetProcessHeap, 7_2_00381DBC
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_00374073 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00374073
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_00374067 SetUnhandledExceptionFilter, 7_2_00374067
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_00373CB7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00373CB7
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_0037CDB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_0037CDB0
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00374073 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00374073
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00374067 SetUnhandledExceptionFilter, 9_2_00374067
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_00373CB7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_00373CB7
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 9_2_0037CDB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_0037CDB0
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Memory protected: page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 9f6ea82062.exe PID: 932, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 9f6ea82062.exe PID: 3940, type: MEMORYSTR
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: 7_2_0039C19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 7_2_0039C19E
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Memory written: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Memory written: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe base: 400000 value starts with: 4D5A
LummaC encrypted strings found
Source: EUCyhuW.exe, 00000007.00000002.3125830482.00000000031A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: rapeflowwj.lat
Source: EUCyhuW.exe, 00000007.00000002.3125830482.00000000031A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: crosshuaht.lat
Source: EUCyhuW.exe, 00000007.00000002.3125830482.00000000031A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: sustainskelet.lat
Source: EUCyhuW.exe, 00000007.00000002.3125830482.00000000031A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: aspecteirs.lat
Source: EUCyhuW.exe, 00000007.00000002.3125830482.00000000031A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: energyaffai.lat
Source: EUCyhuW.exe, 00000007.00000002.3125830482.00000000031A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: necklacebudi.lat
Source: EUCyhuW.exe, 00000007.00000002.3125830482.00000000031A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: discokeyus.lat
Source: EUCyhuW.exe, 00000007.00000002.3125830482.00000000031A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: grannyejh.lat
Source: EUCyhuW.exe, 00000007.00000002.3125830482.00000000031A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: bellflamre.click
Source: 17ce3a84e4.exe, 0000001B.00000002.4530305949.00000000015D0000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: fieldhitty.click
Source: 412ec13ac5.exe, 0000001C.00000002.3169413863.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: pancakedipyps.click
Source: 580c9354ec.exe, 0000001F.00000003.3226351387.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: sweepyribs.lat
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe "C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe "C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019563001\hYW0tgm.exe "C:\Users\user\AppData\Local\Temp\1019563001\hYW0tgm.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe "C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe "C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe "C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe "C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe "C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe "C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Process created: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe "C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Campbell Campbell.cmd & Campbell.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 370821
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Anchor" Veterinary
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Genre + ..\Mj + ..\Discs + ..\Receiving + ..\Mysterious + ..\Aka w
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\370821\Sale.com Sale.com w
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Process created: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe "C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe"
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: Sale.com, 00000018.00000000.2879528289.0000000000843000.00000002.00000001.01000000.0000000D.sdmp, 51ecf08926.exe, 00000021.00000000.3354831484.00000000004A2000.00000002.00000001.01000000.00000013.sdmp, 51ecf08926.exe, 00000032.00000000.3491748335.00000000004A2000.00000002.00000001.01000000.00000013.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: skotes.exe, skotes.exe, 00000003.00000002.2137910104.0000000000906000.00000040.00000001.01000000.00000007.sdmp, 9f6ea82062.exe, 00000024.00000002.4225691431.0000000000E6F000.00000040.00000001.01000000.00000012.sdmp Binary or memory string: Program Manager
Source: 5936bfa4af.exe, 0000002C.00000002.3642079118.0000000000375000.00000040.00000001.01000000.00000016.sdmp Binary or memory string: .Program Manager
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: GetLocaleInfoW, 7_2_003811AC
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 7_2_0038566E
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: EnumSystemLocalesW, 7_2_003816A7
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: EnumSystemLocalesW, 7_2_003858BF
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 7_2_0038595A
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: EnumSystemLocalesW, 7_2_00385BAD
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: GetLocaleInfoW, 7_2_00385C0C
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: EnumSystemLocalesW, 7_2_00385CE1
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: GetLocaleInfoW, 7_2_00385D2C
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 7_2_00385DD3
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: GetLocaleInfoW, 7_2_00385ED9
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: GetLocaleInfoW, 9_2_003811AC
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 9_2_0038566E
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: EnumSystemLocalesW, 9_2_003816A7
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: EnumSystemLocalesW, 9_2_003858BF
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 9_2_0038595A
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: EnumSystemLocalesW, 9_2_00385BAD
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: GetLocaleInfoW, 9_2_00385C0C
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: EnumSystemLocalesW, 9_2_00385CE1
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: GetLocaleInfoW, 9_2_00385D2C
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 9_2_00385DD3
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Code function: GetLocaleInfoW, 9_2_00385ED9
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019557001\SurveillanceWalls.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019563001\hYW0tgm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019563001\hYW0tgm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019594001\17ce3a84e4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019598001\51ecf08926.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019601001\a53907268b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019601001\a53907268b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019602001\647da3efc5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019602001\647da3efc5.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019603001\d0c6b9d6b8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019603001\d0c6b9d6b8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019604001\0c0e50df68.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019604001\0c0e50df68.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019605001\5e8e6b1f32.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019605001\5e8e6b1f32.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019606001\6dc8db9c72.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019606001\6dc8db9c72.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019607001\6377f21e05.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019607001\6377f21e05.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019608001\90e2c6db43.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019608001\90e2c6db43.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019609001\7defc08b02.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019609001\7defc08b02.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019610001\murrgHN.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019610001\murrgHN.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019611001\df0ad61c61.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019611001\df0ad61c61.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019612001\a389bef3dc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019612001\a389bef3dc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019613001\1ba4718074.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019614001\408fbd4e57.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019614001\408fbd4e57.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019615001\9e7a844ab2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019616001\dfe1c8ec1f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019616001\dfe1c8ec1f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ECCBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00ECCBEA
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1019599001\5936bfa4af.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
AV process strings found (often used to terminate AV products)
Source: EUCyhuW.exe, 00000009.00000003.2913252442.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2914135153.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2913722505.0000000000EA9000.00000004.00000020.00020000.00000000.sdmp, EUCyhuW.exe, 00000009.00000003.2913252442.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000002.3659052898.000000000118F000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3630270875.000000000118F000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3593252563.0000000001101000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3589106795.000000000118F000.00000004.00000020.00020000.00000000.sdmp, 412ec13ac5.exe, 0000001E.00000003.3548508878.000000000118F000.00000004.00000020.00020000.00000000.sdmp, 580c9354ec.exe, 0000001F.00000003.3870761939.00000000011AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys Clipper DLL
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1019602001\647da3efc5.exe, type: DROPPED
Yara detected Amadeys stealer DLL
Source: Yara match File source: 0.2.file.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.skotes.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2108752240.0000000000EB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2139236518.00000000006C1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2137416563.00000000006C1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 51ecf08926.exe PID: 1844, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: EUCyhuW.exe PID: 344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 412ec13ac5.exe PID: 4788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 580c9354ec.exe PID: 6008, type: MEMORYSTR
Source: Yara match File source: 9.2.EUCyhuW.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.EUCyhuW.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3125830482.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000024.00000002.4203714163.0000000000A51000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.3308819951.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3942624190.0000000000A51000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3929798314.000000000094E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.3428194939.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.4260064567.00000000015FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 9f6ea82062.exe PID: 932, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 9f6ea82062.exe PID: 3940, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: 9f6ea82062.exe PID: 932, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: EUCyhuW.exe, 00000009.00000003.3093948172.0000000000EFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: EUCyhuW.exe, 00000009.00000003.2887885665.0000000000E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: |0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EUCyhuW.exe, 00000009.00000003.2887885665.0000000000E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: EUCyhuW.exe, 00000009.00000003.2887885665.0000000000E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/JAXX New Version
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: |0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EUCyhuW.exe, 00000009.00000003.2887885665.0000000000E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: |0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: |0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: |0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: |0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: |0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EUCyhuW.exe, 00000009.00000003.2887885665.0000000000E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Exodus
Source: EUCyhuW.exe, 00000009.00000003.2887885665.0000000000E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: |0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EUCyhuW.exe, 00000009.00000003.2887885665.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: |0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: |0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: |0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: EUCyhuW.exe, 00000009.00000003.2887885665.0000000000E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: 9f6ea82062.exe, 00000020.00000002.3942624190.0000000000AD4000.00000040.00000001.01000000.00000012.sdmp String found in binary or memory: |0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019552001\EUCyhuW.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1019595001\412ec13ac5.exe Directory queried: number of queries: 1001
Source: C:\Users\user\AppData\Local\Temp\1019596001\580c9354ec.exe Directory queried: number of queries: 1001
Yara detected Credential Stealer
Source: Yara match File source: 0000001E.00000003.3598848162.0000000001138000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.3614760975.00000000011AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.3572256199.00000000011AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2887885665.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.3466744227.0000000001176000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2889042019.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2913722505.0000000000EA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.3803442222.00000000011AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.3479771297.0000000001138000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2887992510.0000000000EA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.3468708215.0000000001123000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3929798314.000000000094E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2887459258.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2913252442.0000000000E97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.3593252563.000000000111D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: EUCyhuW.exe PID: 344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 412ec13ac5.exe PID: 4788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 580c9354ec.exe PID: 6008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 9f6ea82062.exe PID: 932, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\AppData\Local\Temp\1019597001\9f6ea82062.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 51ecf08926.exe PID: 1844, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: EUCyhuW.exe PID: 344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 412ec13ac5.exe PID: 4788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 580c9354ec.exe PID: 6008, type: MEMORYSTR
Source: Yara match File source: 9.2.EUCyhuW.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.EUCyhuW.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3125830482.00000000031A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3137726168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000024.00000002.4203714163.0000000000A51000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.3308819951.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3942624190.0000000000A51000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3929798314.000000000094E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.3428194939.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.4260064567.00000000015FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 9f6ea82062.exe PID: 932, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 9f6ea82062.exe PID: 3940, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: 9f6ea82062.exe PID: 932, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579344 Sample: file.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 121 Found malware configuration 2->121 123 Antivirus detection for dropped file 2->123 125 Antivirus / Scanner detection for submitted sample 2->125 127 17 other signatures 2->127 8 skotes.exe 8 93 2->8         started        13 file.exe 5 2->13         started        15 skotes.exe 2->15         started        17 3 other processes 2->17 process3 dnsIp4 107 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 8->107 109 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 8->109 111 3 other IPs or domains 8->111 77 C:\Users\user\AppData\...\0c0e50df68.exe, PE32+ 8->77 dropped 79 C:\Users\user\AppData\...\d0c6b9d6b8.exe, PE32 8->79 dropped 81 C:\Users\user\AppData\...\647da3efc5.exe, PE32 8->81 dropped 87 23 other malicious files 8->87 dropped 169 Creates multiple autostart registry keys 8->169 171 Hides threads from debuggers 8->171 173 Tries to detect sandboxes / dynamic malware analysis system (registry check) 8->173 19 9f6ea82062.exe 8->19         started        24 5936bfa4af.exe 8->24         started        26 580c9354ec.exe 8->26         started        32 6 other processes 8->32 83 C:\Users\user\AppData\Local\...\skotes.exe, PE32 13->83 dropped 85 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 13->85 dropped 175 Detected unpacking (changes PE section rights) 13->175 177 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->177 179 Tries to evade debugger and weak emulator (self modifying code) 13->179 181 Tries to detect virtualization through RDTSC time measurements 13->181 28 skotes.exe 13->28         started        183 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->183 185 Binary is likely a compiled AutoIt script file 17->185 30 firefox.exe 17->30         started        file5 signatures6 process7 dnsIp8 97 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 19->97 67 C:\Users\user\AppData\...\softokn3[1].dll, PE32 19->67 dropped 69 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 19->69 dropped 71 C:\Users\user\AppData\...\mozglue[1].dll, PE32 19->71 dropped 73 9 other files (5 malicious) 19->73 dropped 133 Detected unpacking (changes PE section rights) 19->133 135 Attempt to bypass Chrome Application-Bound Encryption 19->135 137 Found many strings related to Crypto-Wallets (likely being stolen) 19->137 149 5 other signatures 19->149 34 chrome.exe 19->34         started        139 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->139 151 4 other signatures 24->151 141 Query firmware table information (likely to detect VMs) 26->141 153 3 other signatures 26->153 143 Multi AV Scanner detection for dropped file 28->143 155 2 other signatures 28->155 99 142.250.181.78 GOOGLEUS United States 30->99 101 34.107.221.82 GOOGLEUS United States 30->101 105 2 other IPs or domains 30->105 103 172.67.141.124 CLOUDFLARENETUS United States 32->103 145 Binary is likely a compiled AutoIt script file 32->145 147 Machine Learning detection for dropped file 32->147 157 3 other signatures 32->157 37 cmd.exe 32->37         started        41 EUCyhuW.exe 32->41         started        43 412ec13ac5.exe 32->43         started        45 9 other processes 32->45 file9 signatures10 process11 dnsIp12 89 239.255.255.250 unknown Reserved 34->89 47 chrome.exe 34->47         started        75 C:\Users\user\AppData\Local\Temp\...\Sale.com, PE32 37->75 dropped 159 Drops PE files with a suspicious file extension 37->159 50 Sale.com 37->50         started        53 conhost.exe 37->53         started        55 tasklist.exe 37->55         started        63 7 other processes 37->63 91 104.21.21.99 CLOUDFLARENETUS United States 41->91 161 Query firmware table information (likely to detect VMs) 41->161 163 Found many strings related to Crypto-Wallets (likely being stolen) 41->163 165 Tries to steal Crypto Currency Wallets 41->165 93 172.67.209.202 CLOUDFLARENETUS United States 43->93 167 Tries to harvest and steal ftp login credentials 43->167 95 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 45->95 57 conhost.exe 45->57         started        59 conhost.exe 45->59         started        61 conhost.exe 45->61         started        65 2 other processes 45->65 file13 signatures14 process15 dnsIp16 113 142.250.181.132 GOOGLEUS United States 47->113 115 142.250.181.99 GOOGLEUS United States 47->115 119 3 other IPs or domains 47->119 117 104.21.63.229 CLOUDFLARENETUS United States 50->117 129 Query firmware table information (likely to detect VMs) 50->129 131 Tries to steal Crypto Currency Wallets 50->131 signatures17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
104.21.21.99
 unknown United States
13335 CLOUDFLARENETUS false
1.1.1.1
 unknown Australia
13335 CLOUDFLARENETUS false
52.217.122.113
 unknown United States
16509 AMAZON-02US false
172.217.17.78
 unknown United States
15169 GOOGLEUS false
172.67.141.124
 unknown United States
13335 CLOUDFLARENETUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
142.250.181.132
 unknown United States
15169 GOOGLEUS false
34.107.221.82
 unknown United States
15169 GOOGLEUS false
172.67.209.202
 unknown United States
13335 CLOUDFLARENETUS false
239.255.255.250
 unknown Reserved
unknown unknown false
20.42.73.29
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
104.21.63.229
 unknown United States
13335 CLOUDFLARENETUS false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
64.233.162.84
 unknown United States
15169 GOOGLEUS false
35.190.72.216
 unknown United States
15169 GOOGLEUS false
142.250.181.78
 unknown United States
15169 GOOGLEUS false
142.250.181.99
 unknown United States
15169 GOOGLEUS false
185.166.143.50
 unknown Germany
16509 AMAZON-02US false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false

Private

IP
127.0.0.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
aspecteirs.lat false
    		high
    sustainskelet.lat false
      		high
      rapeflowwj.lat false
        		high
        energyaffai.lat false
          		high
          grannyejh.lat false
            		high
            necklacebudi.lat false
              		high
              crosshuaht.lat false
                		high
                bellflamre.click true
                  		unknown
                  http://185.215.113.206/c4becf79229cb002.php false
                    		high