Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose, |
0_2_00406360 |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: Network traffic |
Suricata IDS: 2016998 - Severity 1 - ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) : 192.168.2.5:49715 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49715 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49715 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49707 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49707 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49765 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49765 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49874 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49874 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49820 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49820 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49879 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49879 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49769 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49769 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49928 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49824 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49824 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49934 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49934 -> 193.166.255.171:80 |
Source: Network traffic |
Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49928 -> 193.166.255.171:80 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com |
Source: global traffic |
DNS traffic detected: DNS query: yahoo.com |
Source: global traffic |
DNS traffic detected: DNS query: www4.cedesunjerinkas.com |
Source: global traffic |
DNS traffic detected: DNS query: mta6.am0.yahoodns.net |
Source: global traffic |
DNS traffic detected: DNS query: mta7.am0.yahoodns.net |
Source: global traffic |
DNS traffic detected: DNS query: mta5.am0.yahoodns.net |
Source: global traffic |
DNS traffic detected: DNS query: gmail.com |
Source: global traffic |
DNS traffic detected: DNS query: alt1.gmail-smtp-in.l.google.com |
Source: global traffic |
DNS traffic detected: DNS query: gmail-smtp-in.l.google.com |
Source: global traffic |
DNS traffic detected: DNS query: alt2.gmail-smtp-in.l.google.com |
Source: global traffic |
DNS traffic detected: DNS query: alt3.gmail-smtp-in.l.google.com |
Source: global traffic |
DNS traffic detected: DNS query: alt4.gmail-smtp-in.l.google.com |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00423D83: QueryDosDeviceA,lstrcpyA,lstrcatA,GetLastError,lstrcpyA,lstrcatA,DefineDosDeviceA,GetLastError,lstrcpyA,lstrcatA,CreateFileA,DeviceIoControl,GetLastError,GetLastError,DefineDosDeviceA,GetLastError, |
0_2_00423D83 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00411800 |
0_2_00411800 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_004108D0 |
0_2_004108D0 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0040C8E0 |
0_2_0040C8E0 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0040F0E9 |
0_2_0040F0E9 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00410907 |
0_2_00410907 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00404110 |
0_2_00404110 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00409119 |
0_2_00409119 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0040F1C7 |
0_2_0040F1C7 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0040C1D0 |
0_2_0040C1D0 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00404990 |
0_2_00404990 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_004091A7 |
0_2_004091A7 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0040E246 |
0_2_0040E246 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00428A08 |
0_2_00428A08 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00425214 |
0_2_00425214 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00405310 |
0_2_00405310 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00408BC0 |
0_2_00408BC0 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00415BD0 |
0_2_00415BD0 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0041B3D0 |
0_2_0041B3D0 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0040DBF0 |
0_2_0040DBF0 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0041E3A0 |
0_2_0041E3A0 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00409436 |
0_2_00409436 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00409CF7 |
0_2_00409CF7 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0041BD00 |
0_2_0041BD00 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0040EDE0 |
0_2_0040EDE0 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0040DE56 |
0_2_0040DE56 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0041C660 |
0_2_0041C660 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00410670 |
0_2_00410670 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0040E676 |
0_2_0040E676 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00409F47 |
0_2_00409F47 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0040EF78 |
0_2_0040EF78 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0040FF30 |
0_2_0040FF30 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00405F30 |
0_2_00405F30 |
Source: unknown |
Process created: C:\Users\user\Desktop\readme.msg.bat.exe "C:\Users\user\Desktop\readme.msg.bat.exe" |
|
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Process created: C:\Windows\tserv.exe C:\Windows\tserv.exe s |
|
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\A853.tmp |
|
Source: unknown |
Process created: C:\Windows\tserv.exe "C:\Windows\tserv.exe" s |
|
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Process created: C:\Windows\tserv.exe C:\Windows\tserv.exe s |
Jump to behavior |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\A853.tmp |
Jump to behavior |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Section loaded: cmut449c14b7.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: cmut449c14b7.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: cmut449c14b7.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: mrmcorer.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: efswrt.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: twinapi.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: oleacc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: policymanager.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\notepad.exe |
Section loaded: msvcp110_win.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: cmut449c14b7.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: cmut449c14b7.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\tserv.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_0041D159 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress, |
0_2_0041D159 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
RDTSC instruction interceptor: First address: 40C1E0 second address: 40C1EE instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+04h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [7598188Ch] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007EFDC919F7D5h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 mov esp, ebp 0x0000003b pop ebp 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov dword ptr [esp+08h], eax 0x00000043 rdtsc |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
RDTSC instruction interceptor: First address: 40C1EE second address: 40C1FC instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+08h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [7598188Ch] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007EFDC8D9B375h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 mov esp, ebp 0x0000003b pop ebp 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov dword ptr [esp+0Ch], eax 0x00000043 rdtsc |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
RDTSC instruction interceptor: First address: 40C1FC second address: 40C20A instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+0Ch], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [7598188Ch] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007EFDC919F7D5h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 mov esp, ebp 0x0000003b pop ebp 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov dword ptr [esp+10h], eax 0x00000043 rdtsc |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose, |
0_2_00406360 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00423260 GetProcessHeap,HeapAlloc,HeapAlloc,HeapAlloc,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,InitializeSecurityDescriptor,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,GetTokenInformation,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,IsValidSecurityDescriptor, |
0_2_00423260 |
Source: C:\Users\user\Desktop\readme.msg.bat.exe |
Code function: 0_2_00425D91 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA, |
0_2_00425D91 |